5 T Swap Audit Proof of Code / POC

[vegazeronos]

hi there, been trying to make Proof of Code for slippage vulnerable on TSwapPool::swapExactOutput.

here is my code:

        function test_slippageVulnerable() public {
        vm.startPrank(liquidityProvider);
        weth.approve(address(pool), type(uint256).max);
        poolToken.approve(address(pool), type(uint256).max);
        pool.deposit(100e18, 100e18, 100e18, uint64(block.timestamp));
        vm.stopPrank();

        poolToken.mint(userLoseMoney, 100e18);
        weth.mint(userLoseMoney, 1e18);

        vm.startPrank(userLoseMoney);
        poolToken.approve(address(pool), type(uint256).max);
        weth.approve(address(pool), type(uint256).max);
        vm.stopPrank();

        vm.prank(liquidityProvider);
        pool.deposit(100e18, 100e18, 100e18, uint64(block.timestamp));
        //pool.deposit(1e18, 1e18, 1000e18, uint64(block.timestamp));

        vm.prank(userLoseMoney);
        pool.swapExactOutput(poolToken, weth, 1e18, uint64(block.timestamp + 1 days));

        uint256 wethUserLoseMoneyEnd = weth.balanceOf(userLoseMoney);
        uint256 poolTokenUserLoseMoneyEnd = poolToken.balanceOf(userLoseMoney);
        uint256 wethPoolLP = weth.balanceOf(address(pool));
        uint256 poolTokenLP = poolToken.balanceOf(address(pool));

        console.log("wethLP: ", wethPoolLP);
        console.log("poolTokenLP: ", poolTokenLP);
        console.log("wethUserLoseMoneyEnd; ", wethUserLoseMoneyEnd);
        console.log("poolTokenUserLoseMoneyEnd: ", poolTokenUserLoseMoneyEnd);
    }

In the report, Patrick said that:

1. The price of 1 WETH right now is 1,000 USDC
2.  User inputs a swapExactOutput looking for 1 WETH
      inputToken = USDC
      outputToken = WETH
      outputAmount = 1
      deadline = whatever
3. The function does not offer a maxInput amount
4. As the transaction is pending in the mempool, the market changes! And the price moves HUGE -> 1 WETH is now 10,000 USDC. 10x more than the user expected
5. The transaction completes, but the user sent the protocol 10,000 USDC instead of the expected 1,000 USDC

the problem here is, i cannot make the swap from 1 weth = 1tokenpool into 1 weth = 1000 tokenpool.. Is there anyone can help?
while searching for this answer, maybe i will try to make another PoC tho

[EngrPips]

The best approach that comes to my mind is you should have a user that wants to make a swap then calculate what the user is supposed to get back/ pay when they make the swap but don't make the swap but instead make several other users make swaps and then make the first user swap and then compare what you had intitially calculated to the actual outcome/input of that user. Like that, you will be able to demonstrate that the lack of slippage protection caused the user to pay more than they actually wanted to pay.

[vegazeronos]

Yes ! i think like that too, but i dont get how the syntax works...

when they make the swap but don't make the swap

This word that i cant make it into the code, do you know how to do it or is there any cheat code to do it?
i have search for several times throu the docs but dont get anything yet

[EngrPips]

Have you written any swap poc for this codebase? maybe alone or along with Patrick?

[vegazeronos]

This codebase actually written by myself, or do you mean swap poc like this one?

function test_incorrectFeesMakeUserLoseMoney() public {
        //LP deposit their tokens
        vm.startPrank(liquidityProvider);
        weth.approve(address(pool), type(uint256).max);
        poolToken.approve(address(pool), type(uint256).max);
        pool.deposit(100e18, 100e18, 100e18, uint64(block.timestamp));
        vm.stopPrank();

        //userLoseMoney gain token to swap
        poolToken.mint(userLoseMoney, 10e18);
        weth.mint(userLoseMoney, 10e18);

        //userLoseMoney will swap and lose lots of money for fees
        vm.startPrank(userLoseMoney);
        poolToken.approve(address(pool), type(uint256).max);
        weth.approve(address(pool), type(uint256).max);
        pool.swapExactOutput(poolToken, weth, 1e17, uint64(block.timestamp + 1 days));
        vm.stopPrank();

        uint256 wethUserLoseMoneyEnd = weth.balanceOf(userLoseMoney);
        uint256 poolTokenUserLoseMoneyEnd = poolToken.balanceOf(userLoseMoney);

        //fees are 0.03%, the poolToken for userLoseMoney should be: 9_899_598_695_987_863_491
        console.log("wethUserLoseMoneyEnd; ", wethUserLoseMoneyEnd); //10_100_000_000_000_000_000
        console.log("poolTokenUserLoseMoneyEnd: ", poolTokenUserLoseMoneyEnd); //8_995_986_959_878_634_904

        // the fee here is about 0.3% of the transaction, and its HUGE
    }

i never know that Patrick wrote the PoC for this one, i search anywhere on the github (from main, audit, and codehawk branch) but didnt get anything

[EngrPips]

I can't remember correctly if he wrote one because it has been a long time since I saw the content. The exact way you set up a user here to make a swap is the same way you will set up plenty user to make a swap oner after the other then make the intended user make the last swap and show the difference in the expected result against the actual result. But I realized there is an issue with incorrect fee as well when a user make a swap so maybe you should create a separate swap function that correctly account for fee so that the vulnerability you want to show won't be disrupted by that incorrect fee accounting bug

You can set up the intended user for the swap by funding them with the tokens needed but don't call the swap function with them and the enter a for loop where other random users will make swaps and after the for loop use make the swap with the intended user and show the discrepancy in the output.

[vegazeronos]

Thankyou ser @EngrPips , i've refine my code base on your feedback, and i found the bug on my PoC. Finally !

function test_slippageVulnerable() public {
        /*
            goals-> break the contract, make the swap using lots of address user pooltoken
        */

        vm.startPrank(liquidityProvider);
        weth.approve(address(pool), type(uint256).max);
        poolToken.approve(address(pool), type(uint256).max);
        pool.deposit(100e20, 100e20, 100e20, uint64(block.timestamp));
        vm.stopPrank();

        //loop for 5005 people to do this swap
        uint256 userSwapping = 5005;
        address[] memory users = new address[](userSwapping);
        for (uint256 i = 1; i < userSwapping; i++) {
            users[i] = address(uint160(i));
            poolToken.mint(users[i], 10e18);
            weth.mint(users[i], 10e18);
            vm.startPrank(users[i]);
            poolToken.approve(address(pool), type(uint256).max);
            weth.approve(address(pool), type(uint256).max);
            pool.swapExactOutput(poolToken, weth, 1e18, uint64(block.timestamp + 1 days));
            vm.stopPrank();
        }

        poolToken.mint(userLoseMoney, 10e18);
        weth.mint(userLoseMoney, 10e18);
        vm.startPrank(userLoseMoney);
        poolToken.approve(address(pool), type(uint256).max);
        weth.approve(address(pool), type(uint256).max);
        pool.swapExactOutput(poolToken, weth, 1e18, uint64(block.timestamp + 1 days));
        vm.stopPrank();

        uint256 wethUserLoseMoneyEnd = weth.balanceOf(userLoseMoney);
        uint256 poolTokenUserLoseMoneyEnd = poolToken.balanceOf(userLoseMoney);
        uint256 wethPoolLP = weth.balanceOf(address(pool));
        uint256 poolTokenLP = poolToken.balanceOf(address(pool));

        console.log("wethLP: ", wethPoolLP);
        console.log("poolTokenLP: ", poolTokenLP);
        console.log("wethUserLoseMoneyEnd; ", wethUserLoseMoneyEnd);
        console.log("poolTokenUserLoseMoneyEnd: ", poolTokenUserLoseMoneyEnd);
    }

and here is the result, it swap a lot of tokenPool, euwww

wethUserLoseMoneyEnd;  11000000000000000000
poolTokenUserLoseMoneyEnd:  5374611510297629100

poolTokenUserLoseMoneyEnd should be 895129521.... if its the first transaction tho

Thanks again sir for helping !

[EngrPips]

@vegazeronos, You are a genius! I like how you craft this test hahaha, 5005 people to make a swap before the intended user you gave it no chance hahaha. Good job, man.