On the TridentRouter.sol, the whitelisting mechanism has been implemented on the contract. However, some of swap operations do not have pool white-listing check.
function exactInputSingle(ExactInputSingleParams calldata params) public payable returns (uint256 amountOut) {
// @dev Prefund the pool with token A.
bento.transfer(params.tokenIn, msg.sender, params.pool, params.amountIn);
// @dev Trigger the swap in the pool.
amountOut = IPool(params.pool).swap(params.data);
// @dev Ensure that the slippage wasn't too much. This assumes that the pool is honest.
require(amountOut >= params.amountOutMinimum, "TOO_LITTLE_RECEIVED");
}
Line #103
function exactInputSingleWithNativeToken(ExactInputSingleParams calldata params) public payable returns (uint256 amountOut) {
// @dev Deposits the native ERC-20 token from the user into the pool's `bento`.
_depositToBentoBox(params.tokenIn, params.pool, params.amountIn);
// @dev Trigger the swap in the pool.
amountOut = IPool(params.pool).swap(params.data);
// @dev Ensure that the slippage wasn't too much. This assumes that the pool is honest.
require(amountOut >= params.amountOutMinimum, "TOO_LITTLE_RECEIVED");
}
White-listed pools are not checked on the contract.
Tools Used
Manual Code Review
Recommended Mitigation Steps
Add white-listing check on the function. The sample code can be seen below.
maxsam4
commented
3 years ago
Handle
defsec
Vulnerability details
Impact
On the TridentRouter.sol, the whitelisting mechanism has been implemented on the contract. However, some of swap operations do not have pool white-listing check.
Proof of Concept
Line #44
Line #103
Tools Used
Manual Code Review
Recommended Mitigation Steps
Add white-listing check on the function. The sample code can be seen below.