Skip to content

Latest commit

 

History

History
91 lines (61 loc) · 2.47 KB

069.md

File metadata and controls

91 lines (61 loc) · 2.47 KB
Raw

Late Hotpink Dinosaur

Medium

Fixed Target Amount in Sequential DeFi-Stablecoin Swaps Leads to Value Loss and Unfair Protocol Gains

Summary

Protocol will unfairly gain excess value from favorable price movements in defi-to-stablecoin swaps as it controls the wallet that receives the DeFi swap proceeds while only committing to deliver a fixed target amount to the user.

Root Cause

The choice to use a fixed target amount (tAmount) in AmirX.sol in swap and defiToStablecoinSwap at https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/swap/AmirX.sol#L127 is a mistake as it prevents users from capturing upside in favorable market movements during the sequential swap process.

function defiToStablecoinSwap(
    address wallet,
    StablecoinSwap memory ss,
    DefiSwap memory defi
) external payable onlyRole(SWAPPER_ROLE) whenNotPaused {
    _verifyDefiSwap(wallet, defi);
    _verifyStablecoinSwap(wallet, ss);

    uint256 iBalance = ERC20(ss.origin).balanceOf(wallet);
    _defiSwap(wallet, defi);
    uint256 fBalance = ERC20(ss.origin).balanceOf(wallet);
    ss.oAmount = fBalance - iBalance;
    _stablecoinSwap(wallet, ss); // user receives tAmount originally specified
}

Contrast with Standard DEX Swaps

Standard DEX swaps typically implement:

struct SwapParams {
    uint256 amountIn;
    uint256 minAmountOut;  // Floor protection, not ceiling
    // ...
}

Key issues:

  • Standard swaps set minimum output but no maximum
  • Users capture all upside from favorable price movements
  • In AmirX, similarly, user anyways has paid the fee and should not be limited to target amount

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Initial Setup: 1 ETH = $3,000 Expected: 1 ETH → 3,000 USDC → 3,000 USDe

When ETH price increases to $3,300: What Should Happen: 1 ETH → 3,300 USDC → ~3,000 USDe

What Actually Happens: 1 ETH → 3,300 USDC → only 3,000 USDe (fixed amount) Protocol keeps: ~300 USDC excess

The issue is:

  1. Higher ETH price gets more USDC in first swap
  2. But fixed tAmount in contract means user still only gets 3,000 USDe
  3. Protocol keeps the extra USDC (~300) from favorable ETH price
  4. User loses out on ~300 USDe they should have received

This is unfair because users don't benefit from favorable ETH price movements, while the protocol captures the excess value.

Impact

No response

PoC

No response

Mitigation

No response