search

sherlock-audit / 2024-03-arrakis-judging

2 stars 2 forks source link

unix515 - HOT#`getLiquidityQuote()` is always reverted because `liquidityQuote` is never updated. #23

Closed sherlock-admin2 closed 3 months ago

sherlock-admin2 commented 3 months ago

unix515

medium

HOT#getLiquidityQuote() is always reverted because liquidityQuote is never updated.

Summary

HOT#getLiquidityQuote() is always reverted because liquidityQuote was not be updated from HOT#_ammSwap() and HOT#`_hotSwap().

Vulnerability Detail

  1. On HOT#getLiquidityQuote(), liquidityQuote should be updated from HOT#_ammSwap() and HOT#`_hotSwap().
function getLiquidityQuote( 
    ALMLiquidityQuoteInput memory _almLiquidityQuoteInput,
    bytes calldata _externalContext,
    bytes calldata /*_verifierData*/
) external override onlyPool onlyUnpaused 
    returns (ALMLiquidityQuote memory liquidityQuote) {

    if (_externalContext.length == 0) {
        //<---------- @audit
        _ammSwap(_almLiquidityQuoteInput, liquidityQuote);
    } else {
        //<---------- @audit
        _hotSwap(_almLiquidityQuoteInput, _externalContext, liquidityQuote);
        ... 
    }
    ...
}
  1. But liquidityQuote will keep as initial value, since liquidityQuote is transferred as memory, not storage.
function _ammSwap(
    ALMLiquidityQuoteInput memory almLiquidityQuoteInput,
    ALMLiquidityQuote memory liquidityQuote 
) internal {
    ...
}

function _hotSwap(  
    ALMLiquidityQuoteInput memory almLiquidityQuoteInput,
    bytes memory externalContext,
    ALMLiquidityQuote memory liquidityQuote
) internal {
    ...
}
  1. So HOT#getLiquidityQuote() is always reverted on the last check statement.
function getLiquidityQuote( 
    ALMLiquidityQuoteInput memory _almLiquidityQuoteInput,
    bytes calldata _externalContext,
    bytes calldata /*_verifierData*/
) external override onlyPool onlyUnpaused 
    returns (ALMLiquidityQuote memory liquidityQuote) {
    ...
    //<-------------- @audit
    if (liquidityQuote.amountOut == 0) {
        revert HOT__getLiquidityQuote_zeroAmountOut();
    }
}

Impact

HOT#getLiquidityQuote() is always reverted.

Code Snippet

https://github.com/sherlock-audit/2024-03-arrakis/tree/main/valantis-hot/src/HOT.sol#L840-L875

https://github.com/sherlock-audit/2024-03-arrakis/tree/main/valantis-hot/src/HOT.sol#L880-L999

Tool used

Manual Review

Recommendation

Please update HOT#_ammSwap() and HOT#_hotSwap() as follows.

function _ammSwap(
    ALMLiquidityQuoteInput memory almLiquidityQuoteInput,
--  ALMLiquidityQuote memory liquidityQuote 
++  ALMLiquidityQuote storage liquidityQuote    
) internal {
    ...
}

function _hotSwap(  
    ALMLiquidityQuoteInput memory almLiquidityQuoteInput,
    bytes memory externalContext,
--  ALMLiquidityQuote memory liquidityQuote
++  ALMLiquidityQuote storage liquidityQuote
) internal {
    ...
}