Pools with a large total supply causes SWAP functions to always revert
ggrieco-tob opened this issue · comments
Severity: Low
Difficulty: High
Description
A revert caused during the computations performed of SWAP functions can stop users to call these functions, if the initial supply of the token is large.
When a pool is finalized, the initial supply of shares is created. There is a lower bound to the initial supply, but there is no upper bound:
The total supply is used in several places, for instance in the joinswapExternAmountIn function which calls calcPoolOutGivenSingleIn:
The multiplications are done through the fixed-point arithmetic bmul:
An overflow in this computation will revert, regardless of the input values used in the SWAP functions.
Exploit Scenario
Bob creates a pool with a very large number of token shares. Alice will try to call a SWAP function, but will only revert regardless of the input values she is using. As a result of that, she will be unable to use the pool as expected.
Recommendation
Short term:
- Add an upper bound to the initial total supply and do not allow the total supply to grow beyond that limit.
- Alternatively, document this behavior and make sure the users are aware of it.
Long term:
- Consider using Echidna and Manticore to detect this kind of issues in the codebase.
Fixed. Pools are not initialized with a constant INIT_POOL_SUPPLY of BONE * 100
https://github.com/balancer-labs/balancer-core/blob/master/contracts/BPool.sol#L236-L237