Damaged Hazelnut Wolverine - Incorrect Token Conversion Due to Misapplied Fee in Asset Swap

[sherlock-admin4]

Damaged Hazelnut Wolverine

Medium

Incorrect Token Conversion Due to Misapplied Fee in Asset Swap

Summary

The getNbOfnuAssetNeededForNuma function in the NumaPrinter contract inaccurately calculates the ETH equivalent of Numa tokens due to a decreased sell fee applied in the numaToEth function of the VaultManager contract. T

Root Cause

The numaToEth function in the VaultManager contract decreases the ETH amount by applying a sell fee, leading to an inaccurate ETH equivalent for the Numa tokens.

function numaToEth(
    uint _inputAmount,
    PriceType _t
) public view returns (uint256) {
    (, , uint criticalScaleForNumaPriceAndSellFee, ) = getSynthScaling();
    uint result = tokenToNuma(
        _inputAmount,
        1 ether,
        1 ether,
        criticalScaleForNumaPriceAndSellFee
    );
    if (_t == PriceType.BuyPrice) {
        result = (result * 1 ether) / getBuyFee();
    } else if (_t == PriceType.SellPrice) {
>>        (uint sellfee, , ) = getSellFeeScaling();
        result = (result * sellfee) / 1 ether;
    }
    return result;
}

Internal pre-conditions

https://github.com/sherlock-audit/2024-12-numa-audit/blob/ae1d7781efb4cb2c3a40c642887ddadeecabb97d/Numa/contracts/NumaProtocol/NumaPrinter.sol#L477
numaToEth is called with PriceType.SellPrice.
Sell fee is applied within numaToEth function in VaultManager.

External pre-conditions

getNbOfnuAssetNeededForNuma is called to determine nuAsset requirements.
VaultManager is integrated with NumaPrinter.

Attack Path

User calls getNbOfnuAssetNeededForNuma.
numaToEth decreases ETH value due to sell fee.

Impact

System will default to pool price even when vault is more favourabe

PoC

No response

Mitigation

uint256 ethAmountVault = vaultManager.numaToEth(
    amountWithFee,
+   IVaultManager.PriceType.BuyPrice
);