user will receive less token if swap path contains more than one token whose decimal is 0
Summary
For current implementation, while creating token pair in JalaFactory.createPair, the function doesn't check if the token's decimal is larger than 0. So a token pair contains 0-decimal token can be created.
If the swap path in JalaRouter02.swapXXX contains two tokens those use 0 as decimal, the output token will be less than expected.
70 // given an input amount of an asset and pair reserves, returns the maximum output amount of the other asset
71 function getAmountOut(
72 uint256 amountIn,
73 uint256 reserveIn,
74 uint256 reserveOut
75 ) internal pure returns (uint256 amountOut) {
76 if (amountIn == 0) revert InsufficientInputAmount();
77 if (reserveIn == 0 || reserveOut == 0) revert InsufficientLiquidity();
78 uint256 amountInWithFee = amountIn * 997;
79 uint256 denominator = (reserveIn * 1000) + amountInWithFee;
80 uint256 numerator = amountInWithFee * reserveOut;
81 amountOut = numerator / denominator;
82 }
As shown between JalaLibrary.sol#L78-L81, because the 0.3% fee and roundDown, amountOut for 0-decimal token will be less than expected.In the following test, the ratio for tokenA and tokenB is 1:1, but we can use 3 wei tokenA to swap 2 wei tokenB only.
For the POC, create a new file JalaRouter02_0.t.sol under test folder and run forge test --mc JalaRouter02Dec_Test --mt test_SwapExactTokensForZeroDecTokens -vv
jasonxiale
medium
user will receive less token if
swap path
contains more than one token whose decimal is 0Summary
For current implementation, while creating token pair in JalaFactory.createPair, the function doesn't check if the token's decimal is larger than 0. So a token pair contains 0-decimal token can be created. If the swap path in
JalaRouter02.swapXXX
contains two tokens those use 0 as decimal, the output token will be less than expected.Vulnerability Detail
Take JalaRouter02.swapExactTokensForTokens as an example. Function JalaRouter02.swapExactTokensForTokens calls JalaLibrary.getAmountsOut to calculate the amount of swapped token for each token-pair. Within
JalaLibrary.getAmountsOut
, JalaLibrary.getAmountOut is used to calculate the amount of output token based on input token.As shown between JalaLibrary.sol#L78-L81, because the 0.3% fee and roundDown,
amountOut
for 0-decimal token will be less than expected. In the following test, the ratio for tokenA and tokenB is 1:1, but we can use 3 wei tokenA to swap 2 wei tokenB only.For the POC, create a new file
JalaRouter02_0.t.sol
undertest
folder and runforge test --mc JalaRouter02Dec_Test --mt test_SwapExactTokensForZeroDecTokens -vv
Impact
user will receive less token if
swap path
contains more than one token whose decimal is 0Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/030d3ed54214754301154bce0e58ea534100a7e3/jalaswap-dex-contract/contracts/libraries/JalaLibrary.sol#L71-L82
Tool used
Manual Review
Recommendation