The UniswapStyleLib.getReserves function does not check if the tokens are the pair's underlying tokens.
It blindly assumes that the tokens are in the wrong order if the first one does not match but they could also be completely different tokens.
Impact
It could be the case that output amounts are computed for completely different tokens because a wrong pair was provided.
Email address
mail@cmichel.io
Handle
@cmichelio
Eth address
0x6823636c2462cfdcD8d33fE53fBCD0EdbE2752ad
Vulnerability details
The
UniswapStyleLib.getReservesfunction does not check if the tokens are the pair's underlying tokens. It blindly assumes that the tokens are in the wrong order if the first one does not match but they could also be completely different tokens.Impact
It could be the case that output amounts are computed for completely different tokens because a wrong pair was provided.