galacticcouncil
Bug: [Audit_RV] sell does not check whether the exchanged assets are equal.
The sell endpoint does not check that the in and out assets are distinct. At the same time, it loads the asset data for both assets near the start of the function, and it will update the state for both at the end of the function.
This likely means that:
- The asset state will be first set to the “in asset state”, then it will be overwritten with the “out asset state”.
- The out asset state will just register an exchange of some LRNA for the asset, instead of an exchange of the asset for itself.
If the above is accurate, then the asset state no longer corresponds to reality. Besides being bad in itself, this increases the amount of LRNA in the asset state, ~~while at the same decreasing the amount of asset, both~~ by a value roughly equal to the exchanged amount. This would allow users to increase the asset prices by a fair amount in exchange for paying the transaction fees. This may be useful either directly, if they sell the manipulated asset for something else (e.g., the stable asset), or in case another contract relies on the exchange price for decisions (e.g. loans).
