Shadowfiend
commented
3 years ago Duplicate of #17, according to #17.
Closed code423n4 closed 3 years ago
Shadowfiend
commented
3 years ago Duplicate of #17, according to #17.
Handle
gpersoon
Vulnerability details
Impact
The normal flow for swap transactions is: 1) user gives swap contract allowance for "inputtoken" 2) user calls swap contract (which performs the swap)
Suppose you are able to front run transaction #2 or the user has gives a large (unlimited) allowance, then you can position a transaction in between #1 and #2.
Then you can call swapByQuote() with a hacker-contract as parameter and sweep the tokens for which the user has given an allowance.
See proof of concept:
Proof of Concept
Create a hacker_token or use any other cheap token
Create a hacker_contract with following content:
Call function swapByQuote() in the following way: swapByQuote(inputtoken,amount,hacker-token,1,1,hacker_contract,hacker_contract,hackerfunction&amount,block.timestamp+100) Where:
swapByQuote() gives an allowance to hacker_contract swapByQuote() calls fillZrxQuote(), which calls hacker_contract The hacker_contract now has an allowance and can transfer the tokens from the swap contract. It should give back a token to make sure the logic in the swap contract continues.
https://github.com/code-423n4/2021-10-tally/blob/c585c214edb58486e0564cb53d87e4831959c08b/contracts/swap/Swap.sol#L106-L186
https://github.com/code-423n4/2021-10-tally/blob/c585c214edb58486e0564cb53d87e4831959c08b/contracts/swap/Swap.sol#L212
Tools Used
Recommended Mitigation Steps
Make sure the allowance by the user to the swap contract is as low as possible and/or is set to 0 after the call to swapByQuote() Use a frontrun resistant RPC to submit transactions Have a white list for allowed zrxTo addresses