The risk of not charging composition fee for tokenY when mint #241
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-177
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L545
Vulnerability details
Impact
The bug is related to 'mint' function in LBPair.sol. Theoretically the clauses on L534 and L545 will not be true at the same time. However, calculation rounding down on L521, L528 and L529 discard some precision, which make the two clauses may be both true. The current implementation will skip composition fee charging for tokenY at this point.
With a specific example:
Let
Then
We get
Proof of Concept
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L521
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L528
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L529
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L534
https://github.com/code-423n4/2022-10-traderjoe/blob/79f25d48b907f9d0379dd803fc2abc9c5f57db93/src/LBPair.sol#L545
Tools Used
Recommended Mitigation Steps
Change 'if else if' clause to 'if if' clause
The text was updated successfully, but these errors were encountered: