Open code423n4 opened 2 years ago
WatchPug
At L149, params.recipient is read and put into a local variable recipient. However, recipient is only read once when wrapOutputToLending is true. Thus, the variable recipient is unnecessary.
params.recipient
recipient
wrapOutputToLending
https://github.com/code-423n4/2021-10-ambire/blob/bc01af4df3f70d1629c4e22a72c19e6a814db70d/contracts/wallet/Zapper.sol#L147-L159
function tradeV3Single(ISwapRouter uniV3Router, ISwapRouter.ExactInputSingleParams calldata params, bool wrapOutputToLending) external returns (uint) { ISwapRouter.ExactInputSingleParams memory tradeParams = params; address recipient = params.recipient; if(wrapOutputToLending) { tradeParams.recipient = address(this); } uint amountOut = uniV3Router.exactInputSingle(tradeParams); if(wrapOutputToLending) { lendingPool.deposit(params.tokenOut, amountOut, recipient, aaveRefCode); } return amountOut; }
Change to:
function tradeV3Single(ISwapRouter uniV3Router, ISwapRouter.ExactInputSingleParams calldata params, bool wrapOutputToLending) external returns (uint) { ISwapRouter.ExactInputSingleParams memory tradeParams = params; if(wrapOutputToLending) { tradeParams.recipient = address(this); } uint amountOut = uniV3Router.exactInputSingle(tradeParams); if(wrapOutputToLending) { lendingPool.deposit(params.tokenOut, amountOut, params.recipient, aaveRefCode); } return amountOut; }
resolved in https://github.com/AmbireTech/adex-protocol-eth/commit/ad56b80a8483ff3a03cd9b326c242a4b6162eeec
The sponsor has removed the extra declaration
Handle
WatchPug
Vulnerability details
At L149,
params.recipient
is read and put into a local variablerecipient
. However,recipient
is only read once whenwrapOutputToLending
is true. Thus, the variablerecipient
is unnecessary.https://github.com/code-423n4/2021-10-ambire/blob/bc01af4df3f70d1629c4e22a72c19e6a814db70d/contracts/wallet/Zapper.sol#L147-L159
Recommendation
Change to: