Attackers can steal fractional tokens from the protocol #351
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-243
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L398
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L477
Vulnerability details
Impact
Attackers can steal fractional tokens from the protocol
Proof of Concept
Anyone can buy fractional tokens from pair by calling
buy()
function.The protocol takes the payment in base token the amount of
buyQuote(outputAmount)
.The function
buyQuote()
calculates the necessary amount based on thebaseTokenReserves()
andfractionalTokenReserves()
.While fractional token is in 18 decimals, there are base tokens with fewer decimals. The commonly used USDC is in 6 decimals for example.
So it is possible the
buyQuote()
returns zero due to rounding.For example, if base token has 6 decimals, the function will return zero for
outputAmount < 10**12
(not accurate due to slippage and the subtraction in the denominator but around this).Also note that the protocol does not require the calculated input amount to be positive. (L#157)
So attackers can get fractional tokens without any payments. (except gas)
Tools Used
Manual Review
Recommended Mitigation Steps
buyQuote()
.The text was updated successfully, but these errors were encountered: