You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Dec 31, 2023. It is now read-only.
Wrong assignment of cumulativeBid for RangeOrder state in getRangeOrderState function
Summary
Wrong assignment of cumulativeBid for RangeOrder state
Vulnerability Detail
In D3Trading, the getRangeOrderState function is returning RangeOrder (get swap status for internal swap) which is assinging wrong toTokenMMInfo.cumulativeBid which suppose to be cumulativeBid not cumulativeAsk
The error lies in the assignment of roState.toTokenMMInfo.cumulativeBid. Instead of assigning tokenCumMap[toToken].cumulativeAsk, it should be assigning tokenCumMap[toToken].cumulativeBid.
This wrong assignment value definitely will mess up accounting balance, resulting unknown state will occure, which is not expected by the protocol
For one case, this getRangeOrderState is being used in querySellTokens & queryBuyTokens which may later called from sellToken and buyToken. The issue is when calling _contructTokenState which can be reverted from PMMRangeOrder when buy or sell token
When the tokenMMInfo.cumulativeBid (which was wrongly assign from cumulativeAsk) is bigger than tokenState.B0, this will revert
Impact
This wrong assignment value definitely will mess up accounting balance, resulting unknown state will occure, which is not expected by the protocol. For example reverting state showing a case above.
bitsurfer
high
Wrong assignment of
cumulativeBid
for RangeOrder state in getRangeOrderState functionSummary
Wrong assignment of
cumulativeBid
for RangeOrder stateVulnerability Detail
In
D3Trading
, thegetRangeOrderState
function is returning RangeOrder (get swap status for internal swap) which is assinging wrong toTokenMMInfo.cumulativeBid which suppose to becumulativeBid
notcumulativeAsk
The error lies in the assignment of
roState.toTokenMMInfo.cumulativeBid
. Instead of assigningtokenCumMap[toToken].cumulativeAsk
, it should be assigningtokenCumMap[toToken].cumulativeBid
.This wrong assignment value definitely will mess up accounting balance, resulting unknown state will occure, which is not expected by the protocol
For one case, this
getRangeOrderState
is being used inquerySellTokens
&queryBuyTokens
which may later called fromsellToken
andbuyToken
. The issue is when calling_contructTokenState
which can be reverted fromPMMRangeOrder
when buy or sell tokenWhen the
tokenMMInfo.cumulativeBid
(which was wrongly assign fromcumulativeAsk
) is bigger thantokenState.B0
, this will revertImpact
This wrong assignment value definitely will mess up accounting balance, resulting unknown state will occure, which is not expected by the protocol. For example reverting state showing a case above.
Code Snippet
https://github.com/sherlock-audit/2023-06-dodo/blob/main/new-dodo-v3/contracts/DODOV3MM/D3Pool/D3Trading.sol#L86-L87
Tool used
Manual Review
Recommendation
Fix the error to
The text was updated successfully, but these errors were encountered: