Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Decoding of Swap Results Leads to Ineffective Slippage Protection #154

Open
c4-bot-7 opened this issue Sep 13, 2024 · 1 comment
Open

Incorrect Decoding of Swap Results Leads to Ineffective Slippage Protection #154

c4-bot-7 opened this issue Sep 13, 2024 · 1 comment
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_14_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-7
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/SeawaterAMM.sol#L316
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/SeawaterAMM.sol#L316
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L194

Vulnerability details

The swapOut5E08A399() and swapOutPermit23273373B() functions in the SeawaterAMM contract incorrectly decode the results of a swap operation, leading to ineffective slippage protection. This issue arises from a mismatch between the swap direction and the order of decoded values.

In both functions, a swap is executed with zeroForOne set to false, indicating a swap from token1 to token0. However, when decoding the swap results, the order of swapAmountIn and swapAmountOut is reversed, causing the slippage check to be performed on the wrong value. This is because the function swap904369BE returns amount0, amount1 so is the caller which should interpret which corresponds to token in and token out. This incorrect decoding leads to a situation where the slippage protection is not applied as intended, potentially exposing users to unexpected losses.

Impact

Users may receive fewer tokens than expected without the transaction reverting, leading to financial losses. This issue could be exploited by malicious actors to manipulate swap outcomes to their advantage.

Proof of Concept

  1. A user calls swapOut5E08A399() or swapOutPermit23273373B() to swap token1 for token0.
  2. The function executes the swap with zeroForOne set to false.
  3. The swap is successful, returning the amounts swapped.
  4. The slippage check is performed on swapAmountOut, which actually contains the input amount.
  5. The user receives fewer tokens than expected without the transaction reverting.

Tools Used

Manual review

Recommended Mitigation Steps

Correct the decoding of swap results in both swapOut5E08A399() and swapOutPermit23273373B() functions.

Assessed type

Other
@c4-bot-7 c4-bot-7 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 13, 2024
c4-bot-1 added a commit that referenced this issue Sep 13, 2024
@c4-bot-1
Testerbot issue #154
6084a0d
@c4-bot-12 c4-bot-12 added 🤖_14_group AI based duplicate group recommendation 🤖_primary AI based primary recommendation labels Sep 13, 2024
howlbot-integration bot added a commit that referenced this issue Sep 16, 2024
@howlbot-integration
Testerbot update issue #154
e85d0bd
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Sep 16, 2024
@af-afk
Copy link

af-afk commented Sep 23, 2024

fluidity-money/long.so@1e49a07

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working 🤖_primary AI based primary recommendation 🤖_14_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@af-afk @c4-bot-7 @c4-bot-12