_bridgeOut in BranchPort.sol calculates the _amount and _deposit incorrectly #873
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
low quality report
This report is of especially low quality
Q-03
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/BranchPort.sol#L524-L532
Vulnerability details
Impact
Users may transfer more money than intended, resulting in a net loss for the user.
Proof of Concept
In
_bridgeOut
, either the hToken or the underlying token is being sent to the BranchPort address. For the hToken, the tokens will be burned and for the underlying, the token will be stored in the BranchPort contract.According to the discussions on Discord, protocol admin mentions that if the user has 5 hToken and 5 underlying token, the amount called should be 10 and _deposit should be 5. This means that 5 hToken will be burnt from the user and 10 underlying token will be transferred from the user to the Port, instead of 5 underlying token.
If a user wants to transfer 10 tokens in total, he has to transfer 15 instead (5 hToken burnt and 10 underlying transferred)
Tools Used
VSCode
Recommended Mitigation Steps
Make sure that the calculation is correct so that if the user wants to transfer 10 tokens (5 htoken and 5 underlying), he will only need 5 hToken and 5 underlying, instead of 5hToken and 10 underlying. This issue might be due to this line
which is pretty confusing. Amount should not be the total amount of tokens to bridge out but rather just the underlying amount of tokens to bridge out.
Assessed type
Other
The text was updated successfully, but these errors were encountered: