smart-contracts icon indicating copy to clipboard operation
smart-contracts copied to clipboard

Published 20 hours ago verified publisher icon KyberNetwork

block steps functions that create price raise

Open ilanDoron opened this issue 6 years ago • 1 comments

Too high rate due to cached rate: In case an exchange exists a reserve which has a (partially) increasing conversion rate in relation to the exchanged source quantity, then the user can reach a better rate using maxDestAmount. Consider the conversion rate of an exchange as shown below:

can't paste graph example :(

In case of a trade request for 2 ETH → KNC, maxDestAmount = 500 KNCs, the chosen rate will be 1250, as the red dot is the chosen point on the curve. Afterwards, only 500 KNCs will be emitted resulting in a price of 0.4 ETH. In the optimal case, the green point would have been chosen, as it suffices to exchange 500 KNCs. In that case, the fair rate would have been 750 and hence the price would have been 0.66 ETH. Hence, the user is able to enforce a higher rate than expected for reserves with a (partially) increasing conversion rate by making a trade request with a large source amount. Likelihood: Medium Impact: Medium 1.8 Failing transaction due to rounding issue M During the audit, the following code was modified: 125 126 require(reportedDestAmount == tradeOutcome.userDeltaDestAmount); 127 require(tradeOutcome.actualRate >= minConversionRate); 128 129 ExecuteTrade(msg.sender, src, dest, tradeOutcome.userDeltaSrcAmount, tradeOutcome.userDeltaDestAmount);

KyberNetworkProxy.sol

This new code can lead to a failure of a valid transaction. To explain, we provide the following example: • One exchange offers an ETH-KNC rate of 1.1 • A user tries to exchange 300 wei into KNC with a minimum conversion rate of 1.1 and a maximum destination amount of 218 KNC twei. • Due to the maximum destination amount, only 199 wei will be exchanged. • Hence, the actualRate computed for the line above will be 218

199 and therefore smaller than the minimum

conversion rate of 1.1. • The proxy reverts the transaction.

As the example shows, a satisfiable transaction can fail, due to rounding issues. The likelihood of occurrence depends on the frequency with which the maximum destination amount is set and the conversion rates

of the reserves. Likelihood:

ilanDoron avatar Jun 26 '18 08:06 ilanDoron

Addressed in https://github.com/KyberNetwork/smart-contracts/pull/422

manhlx3006 avatar Aug 30 '19 07:08 manhlx3006