sherlock-admin2
commented
3 days ago The protocol team fixed this issue in the following PRs/commits: https://github.com/mento-protocol/mento-core/pull/549
Open sherlock-admin2 opened 1 month ago
sherlock-admin2
commented
3 days ago The protocol team fixed this issue in the following PRs/commits: https://github.com/mento-protocol/mento-core/pull/549
0x46
Medium
Improper validation of exitContribution
Summary
The missing check in BancorExchangeProvider.sol: setExitContribution() will cause transaction reversion in swap functions for users as the function allows exitContribution to reach its maximum value (MAX_WEIGHT), which creates divisibility issues in subsequent calculations.
Setting exitContribution to MAX_WEIGHT causes division by zero in calculations for determining scaledAmountIn and scaledAmountOut, leading to reverts in swap functions like _getScaledAmountIn and _getScaledAmountOut.
Root Cause
https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/goodDollar/BancorExchangeProvider.sol#L265 fails to account for the scenario when exitContribution equals MAX_WEIGHT, which creates a division by zero issue in calculations, specifically: https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/goodDollar/BancorExchangeProvider.sol#L311 https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/goodDollar/BancorExchangeProvider.sol#L345
Internal pre-conditions
Admin must call setExitContribution() and set exitContribution to exactly MAX_WEIGHT.
External pre-conditions
No response
Attack Path
No response
Impact
The protocol cannot process any transactions in affected pools as every swapIn or swapOut operation will revert. This causes a full denial of service on the impacted pools, affecting users attempting to transact.
PoC
No response
Mitigation
In BancorExchangeProvider.sol: setExitContribution(), update the requirement to prevent exitContribution from equaling MAX_WEIGHT: