055.md

Brilliant Cotton Puma

High

A user will receive a wrong number of tokens when swapping stablecoins

Summary

Whenever a user swaps stablecoins, through swap or defiToStablecoinSwap the number of tokens that need to be burned may be set to a new value:

https://github.com/sherlock-audit/2024-11-telcoin/blob/b9c751b59e78a7123a636e31ecafc9147046f190/telcoin-audit/contracts/swap/AmirX.sol#L93

if (fBalance - iBalance != 0) ss.oAmount = fBalance - iBalance;

This, however, is an issue as if the oAmount of tokens changes, the tAmount of tokens that will get minted stays the same. Thus, the wallet of the user will either receive more or fewer tokens than it should, depending on how oAmount is updated.

Root Cause

In the swap and defiToStablecoinSwap functions of AmirX the oAmount of the origin token may increase/decrease, however, the tAmount of the target token stays the same. This issue cannot be prevented by the Swapper, as the tAmount will be calculated based on the initial oAmount, even if it later changes.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. Swapper initiates a swap with oAmount = 1e18 and tAmount = 2e18
2. The oAmount is set to 0.5e18 in the swap function, however, tAmount stays the same
3. Thus, the wallet will be minted two times the number of target tokens that they should have

Impact

A wallet may receive more/fewer tokens than intended, which is detrimental to the protocol.

PoC

No response

Mitigation

Make sure that tAmount is recalculated if oAmount has been updated.