Zellic - Audit Reports

Category: Business Logic

Halving spread in base-to-base may be unsafe

Medium Severity

Medium Impact

Medium Likelihood

Description

In _swapBaseToBase, a base-to-base swap is executed by dividing the max spread of the two pairs, base-to-quote and quote-to-second-base, by two:

function _swapBaseToBase(
    address baseToken1,
    address baseToken2,
    uint256 base1Amount,
    uint256 minBase2Amount,
    address to,
    address rebateTo
) private nonReentrant whenNotPaused returns (uint256 base2Amount) {
    // [...]

    uint64 spread = _maxUInt64(state1.spread, state2.spread) / 2;
    uint16 feeRate = _maxUInt16(tokenInfos[baseToken1].feeRate, tokenInfos[baseToken2].feeRate);

    state1.spread = spread;
    state2.spread = spread;

    uint256 newBase1Price;
    (quoteAmount, newBase1Price) = _calcQuoteAmountSellBase(baseToken1, base1Amount, state1);

    // [...]

    uint256 newBase2Price;
    (base2Amount, newBase2Price) = _calcBaseAmountSellQuote(baseToken2, quoteAmount, state2);

    // [...]
}

Note that the swap-fee logic has been omitted from the above snippet to simplify the math below. Also, note that _sellBase and _sellQuote directly pass the state into the _calc* functions.

Assume that a user is swapping token A for token Q, which is the quote token, and then subsequently token Q for token B. Leaving out constant factors like decimals, let $n_{A}$ be the notional amount of A, defined as $Δ A * p_{A}$ where $Δ A$ is the amount of token A swapped and $p_{A}$ is the price.

With this, according to _calcQuoteAmountSellBase, for the sell base we have $γ = Δ A * p_{A} * k_{A} = n_{A} * k_{A}$ and then $Δ Q = Δ A * p_{A} * (1 - γ - s_{A}) = n_{A} (1 - n_{A} k_{A} - s_{A})$ . Note that this is a quadratic polynomial in $n_{A}$ where the only occurrence of the spread is $- s_{A}$ as a constant linear term in the coefficient for the first degree $n_{A}$ .

Similarly, according to _calcBaseAmountSellQuote, we have (note, this is a different $γ$ ) $γ = Δ Q * k_{B}$ and then $Δ B = Δ Q * (1 - γ - s_{B}) / p_{B}$ . So, again substituting, we have $n_{B} = Δ Q * (1 - Δ Q * k_{B} - s_{B})$ .

Now, if we substitute in $Δ Q$ , the result becomes a fourth-degree polynomial in $n_{A}$ .

Now on the other hand, if they executed _swapBaseToBase instead of base-to-quote and then quote-to-base, then according to the above code snippet, the calculation will be the same except $s_{A}^{'} = s_{B}^{'} = max (s_{A}, s_{B}) /2$ — let this just be $s^{'}$ . This means that the same expansion will follow in the calculation of $n_{B}^{'}$ in terms of $n_{A}$ , and so the difference $n_{B}^{'} - n_{B}$ will cancel out all the terms that do not depend on any $s$ .

So, with that simplification, the terms of $n_{B}$ that include some $s$ will sum to $Δ Q * (1 - Δ Q * k_{B} - s_{B}) = (1 - s_{B}) Δ Q - k_{B} (Δ Q)^{2} = (1 - s_{B}) (1 - s_{A}) n_{A} - (1 - s_{B}) k_{A} n_{A} - k_{B} (1 - s_{A})^{2} n_{A}^{2}$ .

So, whether the base-to-base return is better than the base-to-quote-to-base case clearly depends on the exact quantities involved, and there are examples for both. As a quick example, if we assume the spread for token B were zero, then

The first term is always higher, because $(1 - s_{A} /2)^{2} > (1 - s_{A})$ .
The second term cancels out because there is no dependence on $s_{A}$ .
The third term is always lower, because $- k_{B} (1 - s_{A} /2)^{2} < - k_{B} (1 - s_{A})^{2}$ (note that the domain of $s_{A}$ is from zero to one, and the breakeven points are the roots at zero and 1.33).

This means that which is bigger depends entirely on whether $k_{B}$ is larger or smaller, because it will control whether the first or third term dominates and the liquidity coefficient is a completely free parameter.

Impact

Due to nonlinearity, the approximation spread = _maxUInt64(state1.spread, state2.spread) / 2 may produce a large error if there is a large difference in oracle parameters, especially the liquidity coefficient k, such that users may get better execution doing a two-stage swap over a direct swap — whether that be base-to-base-to-quote instead of base-to-quote, or a base-to-quote-to-base instead of a base-to-base depending on the direction of the discrepancy.

Recommendations

We recommend not improving the spread in the base-to-base case and using the original spreads such that the only savings of base-to-base compared to base-to-quote-to-base is that the swap fee is not charged twice.

Remediation

This issue has been acknowledged by WOOFI, and a fix was implemented in commit 879afe26↗.