Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>High findings>Stablepool swap can be called, repeating the same asset
GeneralOverview
Findings
Critical (3)
High (12)Missing gas charge on memo in native_nft_transferNext zapping ID potentially duplicatedPublished module names do not necessarily match binary moduleStablepools can be created with one or no assetsStablepool swap can be called, repeating the same assetFrozen module coin store can cause chain haltMalicious proposer can skip fee checkMove coins can be burned twiceQuery gas limit not enforced through bank moduleIncorrect signer check for shorthand accountsValidator set updates can skip current validatorsWithdrawal hash clash using variable-length fields
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass
Category: Coding Mistakes

Stablepool swap can be called, repeating the same asset

High Severity
Informational Impact
Low Likelihood

Description

The stableswap.move module implements an AMM based on the Curve StableSwap price function.

The swap function can be used to perform a swap between assets contained in the pool:

public fun swap(
    pair: Object<Pool>,
    offer_coin: FungibleAsset, 
    return_coin_metadata: Object<Metadata>, 
    min_return_amount: Option<u64>
): FungibleAsset acquires Pool

The function reverts if offer_coin or return_coin_metadata are not assets contained in the pool. However, it does not require offer_coin and return_coin_metadata to refer to two different assets.

Impact

This issue is reported as informational as we were unable to circumvent an unintentional revert due to an underflow in one of the helper functions called to perform the swap calculations, get_y. However, other third-party modules that rely on the AMM may be impacted to a greater extent, even by a denial-of-service condition. Considering the importance of the AMM modules on the ecosystem and the potential — even if undetermined — impact on third-party modules, we classify this issue as high severity.

Recommendations

Require the input and output assets in a swap to differ from each other.

Remediation

Zellic © 2024Back to top ↑