Closed code423n4 closed 2 years ago
the usage is correct: as part of a batch transaction that executed from the Identity, a user would first send an aToken to the zapper
then, the withdraw there is used to unwrap this aToken back to the original and trade it
As per the sponsor, the zapper expects funds to be there as part of a batch transaction
Handle
cmichel
Vulnerability details
As I understand it, the
Zapper
is supposed to be called as part of a batch transaction originating from the user oridentity
contract. But when callinglendingPool.withdraw
, for example inexchangeV2
, Aave tries to withdraw from the Zapper balance, not the user balance. There should never be a collateral balance for the Zapper contract as anyone could withdraw it at any time.Impact
It's unclear why withdrawing from the Lending pool as the
Zapper
account would ever be useful. The intention might have been to withdraw as the callermsg.sender
but that doesn't currently work.Recommended Mitigation Steps
Clarify the intention of this Aave withdrawal, and remove the code if it's not needed or if the intention was to withdraw as the user not as the
Zapper
contract.