KupiaSec - After the current reserves are updated, kLast is also updated. As a result, the _mintFee function in JalaPair is unable to mint fee tokens. #217
After the current reserves are updated, kLast is also updated. As a result, the _mintFee function in JalaPair is unable to mint fee tokens.
Summary
The _mintFee function in JalaPair.sol determines the fee amount of liquidity tokens using the difference between the previous and current reserves. However, because the value of kLast is not being correctly updated, this results in the _mintFee function being unable to mint fee-based liquidity.
Vulnerability Details
In the JalaPair contract, liquidity is generated based on the growth of sqrt(reserve0 * reserve1) as fees during mint and burn operations.
Specifically, within the _mintFee function, the values of rootK (calculated from the current reserves) and rootKLast (computed using the most recent reserves) are used to determine the fee-based liquidity.
_update(balance0, balance1, _reserve0, _reserve1);
@> if (feeOn) kLast = uint256(reserve0) * reserve1; // reserve0 and reserve1 are up-to-date
emit Mint(msg.sender, amount0, amount1);
}
However, it should be noted that the value of kLast is only updated after the pair's reserves have already been adjusted according to the latest mint or burn action. Consequently, when the subsequent mint or burn operation takes place, both rootK and rootKLast inside the _mintFee function will hold identical values. This ultimately leads to the calculation of zero fee-based liquidity by the _mintFee function.
KupiaSec
medium
After the current reserves are updated, kLast is also updated. As a result, the _mintFee function in JalaPair is unable to mint fee tokens.
Summary
The _mintFee function in JalaPair.sol determines the fee amount of liquidity tokens using the difference between the previous and current reserves. However, because the value of kLast is not being correctly updated, this results in the _mintFee function being unable to mint fee-based liquidity.
Vulnerability Details
In the
JalaPair
contract, liquidity is generated based on the growth ofsqrt(reserve0 * reserve1)
as fees duringmint
andburn
operations.Specifically, within the
_mintFee
function, the values ofrootK
(calculated from the current reserves) androotKLast
(computed using the most recent reserves) are used to determine the fee-based liquidity.However, it should be noted that the value of
kLast
is only updated after the pair's reserves have already been adjusted according to the latestmint
orburn
action. Consequently, when the subsequentmint
orburn
operation takes place, both rootK and rootKLast inside the_mintFee
function will hold identical values. This ultimately leads to the calculation of zero fee-based liquidity by the_mintFee
function.Attached below is the proof-of-concept test file:
Impact
JalaPair.sol
miscalculates the fee liquidity as 0 hence addressfeeTo
can't receive the corresponding fee.Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/030d3ed54214754301154bce0e58ea534100a7e3/jalaswap-dex-contract/contracts/JalaPair.sol#L110
Tool used
Manual Review
Recommendation
Update the
mint
andburn
function ofJalaPair.sol
Duplicate of #179