[M04] Missing check for input=output in stableswap math

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-02-hydradx/blob/603187123a20e0cb8a7ea85c6a6d718429caad8d/HydraDX-node/pallets/stableswap/src/lib.rs#L787-L842

Vulnerability details

Impact

In curve protocol, there is a check that idx_in != idx_out here. This is there to prevent swapping of the same token with itself.

The stableswap protocol however is missing this check. This can potentially allow users to swap the same token for itself. This can break the math of the stableswap protocol, and potentially lead to wrong balances.

This check is not present in the buy function, and in the calculate_in_amount function, the only checks are on the individual tokens.

let index_in = pool.find_asset(asset_in).ok_or(Error::<T>::AssetNotInPool)?;
let index_out = pool.find_asset(asset_out).ok_or(Error::<T>::AssetNotInPool)?;

Proof of Concept

The check is missing in the code.

Tools Used

Manual Review

Recommended Mitigation Steps

Add in a check to ensure idx_in != idx_out

Assessed type

Invalid Validation

[c4-pre-sort]

0xRobocop marked the issue as insufficient quality report

[c4-pre-sort]

0xRobocop marked the issue as duplicate of #58

[0xRobocop]

Duplicated to #58, but this report does not describe any impact or attack, consider to either invalidate or partial.

[c4-judge]

OpenCoreCH marked the issue as unsatisfactory:
Insufficient proof

[OpenCoreCH]

Invalidating this issue because it does not describe any impact and just speculates about potential impacts. The issue itself would not have allowed the sponsor to see that this is a problem, whereas the other two wardens described the impacts in detail.

[c4-judge]

OpenCoreCH marked the issue as not a duplicate