buyQuote
rounds the answer down which can be abused for a profit
#328
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-243
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L399
Vulnerability details
Impact
The
buyQuote
function calculates the "amount of base tokens required to buy a given amount of fractional tokens". This value is rounded down, which differs from the similar function in UniswapV2. Since the value is rounded down instead of up, the user will pay less than they need to, which can be abused to make a profit.Proof of Concept
buyQuote
calculations would have a relatively small amount ofoutputAmount
token round down to zero, so that the user pays nothing to get a non-zero amount of output, which would be worth a non-trivial amount of money in the case of WBTC.Tools Used
Manual.
Recommended Mitigation Steps
Add one to the final answer in
buyQuote
, similar to howgetAmountIn
works in UniswapV2.The text was updated successfully, but these errors were encountered: