Token is refunded wrongly in the two-step swap #12
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-7
🤖_02_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2024-10-superposition/blob/7ad51104a8514d46e5c3d756264564426f2927fe/pkg/seawater/src/lib.rs#L290-L297
Vulnerability details
Proof of Concept
The
swap_2_internal_erc20
function in the Seawater AMM refunds excess tokens are refunded in the wrong token type. The happens when the original amount provided by the user is greater than the amount actually used by the AMM.The problem here is that the function is attempting to refund the excess amount using the wrong token. When refunding excess tokens, it's using the destination token (
to
) instead of the source token (from
). This is incorrect because the user providedoriginal_amount
of the source token (from
), the AMM usedamount_in
of that token for the swap. Also, if there's a difference, the excess should be refunded in the original source token (from
), not the destination token (to
).Bug location:
https://github.com/code-423n4/2024-10-superposition/blob/7ad51104a8514d46e5c3d756264564426f2927fe/pkg/seawater/src/lib.rs#L290-L297
The function flows thus:
original_amount
of tokenfrom
amount_in
for the swaporiginal_amount > amount_in
, excess should be refundedRefund is executed using destination token (
to
) instead of source token (from
)Consider a scenario given:
Expected:
Actual (buggy):
As a result, users receive refunds in wrong token type
Recommendation:
The text was updated successfully, but these errors were encountered: