054.md

Brilliant Cotton Puma

High

Stablecoin minimum limits can be bypassed

Summary

Whenever a stablecoin swap occurs it is validated that the total supply of the token, which is getting burned, is not less than a minimum value. The issue is that this validation can be bypassed, whenever a stabelcoin swap occurs through AmirX.

Root Cause

In the swap and defiToStablecoinSwap functions of AmirX the _verifyStablecoinSwap is called at the beginning of the function, with the ss.oAmount supplied by the swapper. However, ss.oAmount is later changed:

https://github.com/sherlock-audit/2024-11-telcoin/blob/b9c751b59e78a7123a636e31ecafc9147046f190/telcoin-audit/contracts/swap/AmirX.sol#L93

if (fBalance - iBalance != 0) ss.oAmount = fBalance - iBalance;

Thus, if the new value is more than the initial, the total supply of the origin stablecoin may be less than the getMinLimit(ss.origin).

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. The minimum total supply of the origin token is 1e18, and the current total supply is 2e18
2. A swapper calls swap, setting the ss.oAmount to 0.5e18, passing the validation in _verifyStablecoinSwap
3. However, the ss.oAmount increases to 1.1e18, causing the total supply of the origin token to be less than the minimum limit

Impact

A stabelcoin's total supply goes below the minimum limit, which should never happen.

PoC

No response

Mitigation

Call _verifyStablecoinSwap after ss.oAmount has been updated.