search

sherlock-audit / 2024-02-smilee-finance-judging

2 stars 1 forks source link

iberry - SwapAdapterRouter#_valueOut and SwapAdapterRouter#_valueIn function calculating the output amount amountOut and output amount amountIn error #25

Closed sherlock-admin3 closed 7 months ago

sherlock-admin3 commented 7 months ago

iberry

high

SwapAdapterRouter#_valueOut and SwapAdapterRouter#_valueIn function calculating the output amount amountOut and output amount amountIn error

Summary

SwapAdapterRouter#_valueOut and SwapAdapterRouter#_valueIn function calculating the output amount amountOut error which cause get error amountOut.

Vulnerability Detail

File: 2024-02-smilee-finance/smilee-v2-contracts/src/providers/SwapAdapterRouter.sol

234: function _valueOut(address tokenIn, address tokenOut, uint256 amountIn) private view returns (uint256 amountOut) { 235: IPriceOracle po = IPriceOracle(_ap.priceOracle()); 236: uint256 price = po.getPrice(tokenIn, tokenOut); 237: uint8 dIn = IERC20Metadata(tokenIn).decimals(); 238: uint8 dOut = IERC20Metadata(tokenOut).decimals(); 239: amountOut = price amountIn; 240: amountOut = dOut > dIn ? amountOut 10 (dOut - dIn) : amountOut / 10 (dIn - dOut); 241: amountOut = amountOut / 10 ** 18; @audit remove div 242: }

In the _valueOut function ,i summary, the mathematical formula for calculating the output amount amountOut is: amountOut = (price × amountIn × 10(dOut−dIn ))/10 18 but actually Uniswap mathematical formula: amountOut = (price × amountIn × 10**(dOut−dIn )

the same to SwapAdapterRouter#_valueIn

File: 2024-02-smilee-finance/smilee-v2-contracts/src/providers/SwapAdapterRouter.sol 251: function _valueIn(address tokenIn, address tokenOut, uint256 amountOut) private view returns (uint256 amountIn) { 252: IPriceOracle po = IPriceOracle(_ap.priceOracle()); 253: uint256 price = po.getPrice(tokenOut, tokenIn); 254: uint8 dIn = IERC20Metadata(tokenIn).decimals(); 255: uint8 dOut = IERC20Metadata(tokenOut).decimals(); 256: amountIn = price amountOut; 257: amountIn = dIn > dOut ? amountIn 10 (dIn - dOut) : amountIn / 10 (dOut - dIn); 258: amountIn = amountIn / 10 ** 18; @audit remove div 259: }

In the _valueIn function ,i summary, the mathematical formula for calculating the output amount amountIn is: amountIn = (price × amountOut × 10(dIn - dOut ))/10 18 but actually Uniswap mathematical formula: amountIn = (price × amountOut × 10**(dIn - dOut ))

Impact

Incorrect output amounts can result in traders receiving less or more than expected when executing swaps, leading to financial losses

Code Snippet

https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/SwapAdapterRouter.sol#L234-L242 https://github.com/sherlock-audit/2024-02-smilee-finance/blob/main/smilee-v2-contracts/src/providers/SwapAdapterRouter.sol#L251-L259

Tool used

Manual Review

Recommendation

remove amountOut = amountOut / 10 ** 18; at SwapAdapterRouter#_valueOut and SwapAdapterRouter#_valueIn

sherlock-admin3 commented 7 months ago

2 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, because division by 1e18 is required due to multiplication by the 18-decimals price

takarez commented:

invalid