Closed sherlock-admin4 closed 1 month ago
AgileJune
high
There are cases for the _hotSwap() function to revert due to overflow
_hotSwap() function has calculation part like Line921~Line926 to get amountOut.
_hotSwap()
liquidityQuote.amountOut = almLiquidityQuoteInput.isZeroToOne ? ( Math.mulDiv( almLiquidityQuoteInput.amountInMinusFee * sqrtHotPriceX96, sqrtHotPriceX96, HOTConstants.Q192 ) ) : (Math.mulDiv(almLiquidityQuoteInput.amountInMinusFee, HOTConstants.Q192, sqrtHotPriceX96) / sqrtHotPriceX96);
If a user swaps super low price token (like shib inu) for WETH (high price), it will cause overflow At the time of report, SHIB / USD price : 25 * 10 * 12 (oracle decimal 18) WETH / USD price : 382765 10 16 (oracle decimal 18) SHIB token decimal : 18 WETH token decimal: 18 amountIn (WETH) = 1 ether (10 18)
shib/eth sqrtOraclePriceX96 = 1.5 * 2 13 * 2 * 96 = 1.5 2 109
amountOut = amountIn sqrtHotPriceX96 sqrtHotPriceX96 / HOTConstants.Q192
Assuming that sqrtHotPriceX96 is close to sqrtOraclePriceX96, amountIn * sqrtHotPriceX96 * sqrtHotPriceX96 = 10 ** 18 * 1.5 * 2 ** 109 * 1.5 * 2 ** 109 > 9.4 * 10 ** 83 is greater than type(uint256).max
amountIn * sqrtHotPriceX96 * sqrtHotPriceX96 = 10 ** 18 * 1.5 * 2 ** 109 * 1.5 * 2 ** 109 > 9.4 * 10 ** 83
So the _hotSwap() function will revert.
_hotSwap() function will revert so that the hot protocol gets failed for some tokens pair swap.
https://github.com/ValantisLabs/valantis-hot/blob/main/src/HOT.sol#L923-L927
Manual Review
Recheck to calculate amountOut according to quoted price in order to avoid overflow with specific tokens pair
AgileJune
high
_hotSwap() will be reverted for some tokens pair due to overflow
Summary
There are cases for the _hotSwap() function to revert due to overflow
Vulnerability Detail
_hotSwap()function has calculation part like Line921~Line926 to get amountOut.If a user swaps super low price token (like shib inu) for WETH (high price), it will cause overflow At the time of report, SHIB / USD price : 25 * 10 * 12 (oracle decimal 18) WETH / USD price : 382765 10 16 (oracle decimal 18) SHIB token decimal : 18 WETH token decimal: 18 amountIn (WETH) = 1 ether (10 18)
shib/eth sqrtOraclePriceX96 = 1.5 * 2 13 * 2 * 96 = 1.5 2 109
amountOut = amountIn sqrtHotPriceX96 sqrtHotPriceX96 / HOTConstants.Q192
Assuming that sqrtHotPriceX96 is close to sqrtOraclePriceX96,
amountIn * sqrtHotPriceX96 * sqrtHotPriceX96 = 10 ** 18 * 1.5 * 2 ** 109 * 1.5 * 2 ** 109 > 9.4 * 10 ** 83is greater than type(uint256).maxSo the _hotSwap() function will revert.
Impact
_hotSwap() function will revert so that the hot protocol gets failed for some tokens pair swap.
Code Snippet
https://github.com/ValantisLabs/valantis-hot/blob/main/src/HOT.sol#L923-L927
Tool used
Manual Review
Recommendation
Recheck to calculate amountOut according to quoted price in order to avoid overflow with specific tokens pair