Trades where toToken is feeOnTransferToken might send user less tokens than finalAmountMin #77
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
Handle
kenzo
Vulnerability details
Slingshot's
executeTrades
checks that the trade result amount (to be sent to the user) is bigger than finalAmountMin, and after that sends the user the amount. But if the token charges fee on transfer, the final transfer to the user will decrease the amount the user is getting, maybe below finalAmountMin.Proof of Concept
Slingshot requires
finalOutputAmount >= finalAmountMin
before sending the funds to the user:https://github.com/code-423n4/2021-10-slingshot/blob/main/contracts/Slingshot.sol#L93:#L98
So if the token charges fees on transfer, the user will get less tokens than
finalOutputAmount
. The check offinalOutputAmount
againstfinalAmountMin
is premature.Tools Used
Manual analysis
Recommended Mitigation Steps
Save the user's (not Executioner's) toToken balance in the beginning of
executeTrades
after_transferFromOrWrap(fromToken, _msgSender(), fromAmount)
, and also in the very end, afterexecutioner.sendFunds(toToken, _msgSender(), finalOutputAmount)
has been called. The subtraction of user's initial balance from ending balance should be bigger thanfinalAmountMin
.https://github.com/code-423n4/2021-10-slingshot/blob/main/contracts/Slingshot.sol#L65:#L99
The text was updated successfully, but these errors were encountered: