User can buy fractional tokens for free. #86
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-141
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/main/src/Pair.sol#L399
Vulnerability details
Impact
User could buy fractional tokens for free.
Proof of Concept
Currently the implementation of
buyQuote
function is as follow:This will calculate the amount of
base token
a user must spend to getoutputAmount
offractional token
. As you can see this is an integerdivision, it could result in zero if
outputAmount * 1000 * baseTokenReserves())
<((fractionalTokenReserves() - outputAmount) * 997)
and this could happen often when base token with small number of digits is used, I should note here thatfractional token
is always 18 digits.Below is a test case to demonstrate this finding, I use a 6 digits ERC20 tokens:
Tools Used
Manual review
Recommended Mitigation Steps
I recommend you should check if variable
inputAmount
returned from functionbuyQuote
is >0, only then the fractional tokens are transferredto the buyer
The text was updated successfully, but these errors were encountered: