Skip to content

_payDebt() quoteExactOutputSingle should use _swapFeeTier #34

New issue
New issue
Closed
Closed
_payDebt() quoteExactOutputSingle should use _swapFeeTier#34
Labels
3 (High Risk)Assets can be stolen/lost/compromised directly🤖_primaryAI based primary recommendationbugSomething isn't workingduplicate-38satisfactorysatisfies C4 submission criteria; eligible for awardssponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")upgraded by judgeOriginal issue severity upgraded from QA/Gas by judge
@c4-bot-2

Description

@c4-bot-2
c4-bot-2
opened on May 30, 2024

Lines of code

https://github.com/code-423n4/2024-05-bakerfi/blob/59b1f70cbf170871f9604e73e7fe70b70981ab43/contracts/core/strategies/StrategyLeverage.sol#L546

Vulnerability details

Vulnerability details

in _payDebt()
We need to calculate amountIn first.

     function _payDebt(uint256 debtAmount, uint256 fee) internal {
        _repay(wETHA(), debtAmount);
        // Get a Quote to know how much collateral i require to pay debt
        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
@>          IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
        );    
        
        _withdraw(ierc20A(), amountIn, address(this) );

        uint256 output = _swap(
            ISwapHandler.SwapParams(
                ierc20A(),
                wETHA(),
                ISwapHandler.SwapType.EXACT_OUTPUT,
                amountIn,
                debtAmount + fee,
@>              _swapFeeTier,
                bytes("")
            )
        );
        // When there are leftovers from the swap, deposit then back
        uint256 wethLefts = output > (debtAmount + fee) ? output - (debtAmount + fee) : 0;
        if (wethLefts > 0) {
            _supply(wETHA(), wethLefts);
        }
        emit StrategyUndeploy(msg.sender, debtAmount);
    }

In the above method, QuoteExactOutputSingleParams.fee is hardcoded to a fixed value of 500
whereas it should correctly use _swapFeeTier.

Impact

Using the incorrect FeeTier could lead to inaccuracies in amountIn, resulting in a failed swap.

Recommended Mitigation

      function _payDebt(uint256 debtAmount, uint256 fee) internal {
        _repay(wETHA(), debtAmount);
        // Get a Quote to know how much collateral i require to pay debt
        (uint256 amountIn, , , ) = uniQuoter().quoteExactOutputSingle(
-           IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, 500, 0)
+           IQuoterV2.QuoteExactOutputSingleParams(ierc20A(), wETHA(), debtAmount + fee, _swapFeeTier, 0)
        );    
        
        _withdraw(ierc20A(), amountIn, address(this) );

Assessed type

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    3 (High Risk)Assets can be stolen/lost/compromised directly🤖_primaryAI based primary recommendationbugSomething isn't workingduplicate-38satisfactorysatisfies C4 submission criteria; eligible for awardssponsor confirmedSponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")upgraded by judgeOriginal issue severity upgraded from QA/Gas by judge

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions