code423n4 commented 3 years ago

Handle

broccoli

Vulnerability details

Flash swap call back prior to transferring tokens in indexPool

Impact

In the IndexPool contract, flashSwap does not work. The callback function is called prior to token transfer. The sender won't receive tokens in the callBack function. ITridentCallee(msg.sender).tridentSwapCallback(context);

Flashswap is not implemented correctly. It may need a migration to redeploy all indexPools if the issue is found after main-net launch. I consider this a high-risk issue.

Proof of Concept

IndexPool.sol#L196-L223

        ITridentCallee(msg.sender).tridentSwapCallback(context);
        // @dev Check Trident router has sent `amountIn` for skim into pool.
        unchecked { // @dev This is safe from under/overflow - only logged amounts handled.
            require(_balance(tokenIn) >= amountIn + inRecord.reserve, "NOT_RECEIVED");
            inRecord.reserve += uint120(amountIn);
            outRecord.reserve -= uint120(amountOut);
        }
        _transfer(tokenOut, amountOut, recipient, unwrapBento);

Tools Used

None

Recommended Mitigation Steps

        _transfer(tokenOut, amountOut, recipient, unwrapBento);
        ITridentCallee(msg.sender).tridentSwapCallback(context);
        // @dev Check Trident router has sent `amountIn` for skim into pool.
        unchecked { // @dev This is safe from under/overflow - only logged amounts handled.
            require(_balance(tokenIn) >= amountIn + inRecord.reserve, "NOT_RECEIVED");
            inRecord.reserve += uint120(amountIn);
            outRecord.reserve -= uint120(amountOut);
        }

alcueca commented 3 years ago

I can't find a duplicate, @maxsam4?

maxsam4 commented 3 years ago

Duplicate of https://github.com/code-423n4/2021-09-sushitrident-findings/issues/157 and https://github.com/code-423n4/2021-09-sushitrident-findings/issues/80

code-423n4 / 2021-09-sushitrident-findings

Flash swap call back prior to transferring tokens in indexPool #26