Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid or Unexpected Return Values in previewUnitaryAddLiquidity Function #12

Open
hats-bug-reporter bot opened this issue Nov 13, 2024 · 1 comment
Open

Invalid or Unexpected Return Values in previewUnitaryAddLiquidity Function #12

hats-bug-reporter bot opened this issue Nov 13, 2024 · 1 comment
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x427591f2d369cdc84151cc5950aaa0a2683c7f0c792aaacb1721a3c7c49812e5
Severity: high

Description:
Summary:

  • The CurveLiqArbitrage.sol#L33-#L56 function fails to validate the return values of last_prices() and coins(0) from the curvePool contract, which can lead to unexpected behavior. A user can input a malicious curvePool address to manipulate return values from these functions, causing potential calculation errors, transaction reversion, or unintended behavior within the function.

Vulnerability Details:

  1. Function: previewUnitaryAddLiquidity
  2. Location:
    • last_prices() call, which lacks validation to prevent zero or extremely large values.
    • coins(0) call, which may not point to an ERC-20 token with a valid decimals() function.
  3. Impact: Division by zero, underflows, or other calculation errors.
  4. Root Cause: Lack of validation on last_prices() and coins(0) return values.

Code Reference:

uint256 lastPrices = ICurvePool(curvePool).last_prices();
uint256 tokenUnit = 10 ** IERC20Metadata(ICurvePool(curvePool).coins(0)).decimals();

return ICurvePool(curvePool).calc_token_amount([amountToken0, amountToken1]).mulDiv(
    tokenUnit,
    depositInToken0
);

Suggested Fix:
Add validation checks for both last_prices() and coins(0) before calculations:

// Validate last_prices
uint256 lastPrices = ICurvePool(curvePool).last_prices();
require(lastPrices > 0, "Invalid last_prices value");

// Validate coins(0) and its decimals
address token0 = ICurvePool(curvePool).coins(0);
require(token0 != address(0), "Invalid token0 address");

uint256 tokenDecimals;
try IERC20Metadata(token0).decimals() returns (uint8 decimals) {
    tokenDecimals = decimals;
} catch {
    revert("Invalid token0 decimals");
}

uint256 tokenUnit = 10 ** tokenDecimals;

// Proceed with calc_token_amount calculation
uint256 result;
try ICurvePool(curvePool).calc_token_amount([amountToken0, amountToken1]) returns (uint256 calcAmount) {
    result = calcAmount.mulDiv(tokenUnit, depositInToken0);
} catch {
    revert("Invalid calc_token_amount calculation");
}

return result;
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Nov 13, 2024
@yanisepfl yanisepfl added the invalid This doesn't seem right label Nov 13, 2024
@yanisepfl
Copy link
Collaborator

Hello,

Invalid for the same reason as: #11

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yanisepfl