GalloDaSballo
commented
2 years ago Agree with the finding, we will put a slippage check at end of function
Seems to be a dup of #47
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Agree with the finding, we will put a slippage check at end of function
Seems to be a dup of #47
0xleastwood
commented
2 years ago duplicate of #47
Handle
gzeon
Vulnerability details
Impact
redeemmay return less thanminOutif wrong token is supplied with poolID=3 because there is no check against minOut in L230-L232.Proof of Concept
https://github.com/Badger-Finance/ibbtc/blob/d8b95e8d145eb196ba20033267a9ba43a17be02c/contracts/Zap.sol#L216-L238 1) User mistakenly call redeem(USDC, 100, 3, 0, 100) 2) The contract take 100 bBTC from the user, redeem it (L231) 3) The contract call USDC.balanceOf(address(this)), which return 0 (L236) 4) The contract send 0 USDC to the user, despite minOut set to 100 The redeemed byvWBTC can be extracted by anyone calling redeem(byvWBTC, 0, 3, 0, 0)
Tools Used
Recommended Mitigation Steps
After L230
require(token==byvWBTC, "INVALID_TOKEN");or After L236require(out>=minOut, "INSUFFICIENT_OUTPUT");