Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Aqua Pool>Discussion>Missing checks compared to CurveTwoCryptoOptimized
GeneralOverview
Findings
Medium (1)
Low (1)
DiscussionAdditions over CurveTwoCryptoOptimized Vyper codeMissing checks compared to CurveTwoCryptoOptimizedDifferential fuzz testingA `withdrawMode == 3` skips minting protocol fee
Audit ResultsSummary

Missing checks compared with the CurveTwoCryptoOptimized Vyper code

Some invariants are not checked in the Solidity code, but they are checked in the original Vyper code.

For example, the Solidity code does not check the frac invariant in tweakPrice. The original Vyper code performs the following check:

for k in range(N_COINS):
    frac: uint256 = xp[k] * 10**18 / D  # <----- Check validity of
    assert (frac > 10**16 - 1) and (frac < 10**20 + 1)  #   p_new.

Additionally, the Solidity code does not check that the token_amount is less than the total token_supply, as the original Vyper does.

Similarly, throughout the contract, other checks are missing. We note, however, that we could not identify any direct security implications of these missing checks.

Zellic © 2024Back to top ↑