verifyfirst
commented
3 years ago Pools are be design to allow other protocols to wrap with their own routers. Our router handles WBNB for its pool
Closed code423n4 closed 3 years ago
verifyfirst
commented
3 years ago Pools are be design to allow other protocols to wrap with their own routers. Our router handles WBNB for its pool
SamusElderg
commented
3 years ago Have tested '0' as the input (this is a ROUTER function btw; not POOL) which causes the txn to fail as expected thereby deeming this a non-issue unless the warden can explain how to reproduce?
The return type for PoolFactory.getPool() is an address of which '0' or 0 is not; so it fails as intended.
ghoul-sol
commented
3 years ago Per sponsor comment, invalid.
Handle
cmichel
Vulnerability details
Vulnerability Details
The
Pool.removeLiquidityExactfunction redeems liquidity tokens for underlying to the router contract in case of thetokenbeing the zero address. This works if the underlying token is actuallyWBNBbut if the pool token is different and the user accidentally inserted0as thetokenaddress, the redeemedtokenwill stay in the router.Recommended Mitigation Steps
If
token == 0add a check forpool.token == WBNBsuch that it is ensured that the pool's token is actuallyWBNB.