Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $36,500 USDC
Total HM: 1
Participants: 43
Period: 7 days
Judge: Dravee
Id: 277
League: ETH
Rank: 5/43
Findings: 3
Award: $1,965.21
🌟 Selected for report: 0
🚀 Solo Findings: 0
1933.5938 USDC - $1,933.59
Lack of balance checks in the withdrawGivenOutputAmount function can lead to various unpredictable consequences due to the breach of requirements "The pool's balances of the x reserve and y reserve tokens must be greater than the MIN_BALANCE" and "The pool's ratio of y to x must be within the interval [MIN_M, MAX_M)".
The withdrawGivenOutputAmount receive an withdrawnAmount parameter which describes how many reserve tokens the user wants to withdraw. There are no balance checks in the withdrawGivenOutputAmount function and in the _reserveTokenSpecified function, similar with checks in the _swap function. So users can withdraw more tokens than is safety for the contract.
Manual review
I suggest using the _checkBalances function at the withdrawGivenOutputAmount function or at the _reserveTokenSpecified function.
Other
#0 - c4-pre-sort
2023-08-29T06:09:04Z
0xRobocop marked the issue as duplicate of #268
#1 - c4-pre-sort
2023-08-29T06:09:08Z
0xRobocop marked the issue as sufficient quality report
#2 - JustDravee
2023-09-11T19:17:34Z
To be combined with #186 to form a complete submission
#3 - c4-judge
2023-09-11T19:20:47Z
JustDravee changed the severity to 3 (High Risk)
#4 - c4-judge
2023-09-11T19:24:45Z
JustDravee marked the issue as satisfactory
1933.5938 USDC - $1,933.59
Lack of balance checks in the depositGivenInputAmount function can lead to various unpredictable consequences due to the breach of requirement "The pool's ratio of y to x must be within the interval [MIN_M, MAX_M)".
The depositGivenInputAmount receive an depositedAmount parameter which describes how many reserve tokens the user wants to deposit. There are no balance checks in the depositGivenInputAmount function and in the _reserveTokenSpecified function, similar with checks in the _swap function. So users can deposit such an amount of tokens which breach the pool's ratio.
Manual review
I suggest using the _checkBalances function at the depositGivenInputAmount function or at the _reserveTokenSpecified function.
Other
#0 - c4-pre-sort
2023-08-29T06:10:05Z
0xRobocop marked the issue as duplicate of #268
#1 - c4-pre-sort
2023-08-29T06:10:10Z
0xRobocop marked the issue as sufficient quality report
#2 - c4-judge
2023-09-11T19:20:47Z
JustDravee changed the severity to 3 (High Risk)
#3 - c4-judge
2023-09-11T19:24:49Z
JustDravee marked the issue as satisfactory
🌟 Selected for report: Udsen
Also found by: 0xSmartContract, 0xmystery, 0xprinc, Fulum, JP_Courses, MatricksDeCoder, Mirror, MohammedRizwan, MrPotatoMagic, Rolezn, Shubham, Testerbot, ast3ros, chainsnake, lanrebayode77, lsaudit, nisedo, plainshift, pontifex, prapandey031
9.1555 USDC - $9.16
Mistakes in comments can be misleading.
The comment amount cannot be less than 0 should be amount should be less than 0. There are 3 instances:
295: // amount cannot be less than 0 296: require(result < 0); 450: // amount cannot be less than 0 451: require(result < 0); 487: // amount cannot be less than 0 488: require(result < 0);
The comment We use FEE_UP because we want to increase the perceived amount of should be We use FEE_DOWN because we want to increase the perceived amount of.
459: * @dev We use FEE_UP because we want to increase the perceived amount of ... 481: FEE_DOWN,
The comment Calculates the b variable in the curve eq which is basically a sq. root of the inverse of x instantaneous price should be Calculates the b variable in the curve eq which is basically a sq. root of the of x instantaneous price.
120: @notice Calculates the b variable in the curve eq which is basically a sq. root of the inverse of x instantaneous price ... 124: return p_min(self).sqrt();
It is hard to check constant values correctness due to insufficient comments.
157: int128 constant MAX_M = 0x5f5e1000000000000000000; 163: int128 constant MIN_M = 0x00000000000002af31dc461; 169: int256 constant MAX_PRICE_VALUE = 1844674407370955161600000000; 175: int256 constant MIN_PRICE_VALUE = 184467440737;
#0 - c4-pre-sort
2023-08-30T04:45:21Z
0xRobocop marked the issue as sufficient quality report
#1 - c4-judge
2023-09-11T19:51:06Z
JustDravee marked the issue as grade-b
🌟 Selected for report: lsaudit
Also found by: 0x11singh99, 0x4non, 0xAnah, 0xSmartContract, 0xhacksmithh, JP_Courses, Jorgect, MrPotatoMagic, Sathish9098, epistkr, pfapostol, pontifex
22.4575 USDC - $22.46
t(self) in _addShares functionUse caching variables for t(self) storage variables in the p_min and p_max functions to prevent multiple storage reading.
98: if (t(self) > ABDK_ONE) return self.px_final; 99: else return self.px_init.mul(ABDK_ONE.sub(t(self))).add(self.px_final.mul(t(self)));
107: if (t(self) > ABDK_ONE) return self.py_final; 108: else return self.py_init.mul(ABDK_ONE.sub(t(self))).add(self.py_final.mul(t(self)));
#0 - c4-pre-sort
2023-08-30T02:24:40Z
0xRobocop marked the issue as low quality report
#1 - 0xRobocop
2023-08-30T02:25:03Z
Low quality report.
#2 - c4-judge
2023-09-11T20:05:21Z
JustDravee marked the issue as grade-b