Users are incorrectly refunded when liqudity is insufficient #5
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-02
primary issue
Highest quality submission among a set of duplicates
🤖_primary
AI based primary recommendation
🤖_02_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-10-superposition/blob/7ad51104a8514d46e5c3d756264564426f2927fe/pkg/seawater/src/lib.rs#L287-L297
Vulnerability details
Proof of Concept
In
swap_2_internal
, if the first pool doesn't have enough liquidity,amount_in
could be less thanoriginal_amount
, and as expected,amount_in
is taken from swapper. But the function still refundsoriginal_amount - amount_in
to the user iforiginal_amount
is more thanamount_in
.From the function, we can see than
amount_in
is taken from swapper. Then the function checks iforiginal_amount
is more thanamount_in
, before which the difference is transferred back to the sender.An unnecessary refund is processed leading to loss of funds for the protocol. Malicious users can take advantage of this to "rob" the protocol of funds through the refunds.
Recommended Mitigation Steps
No need to process refunds since
amount_in
is already taken.Assessed type
Context
The text was updated successfully, but these errors were encountered: