Closed code423n4 closed 2 years ago
pauliax
Token join contracts check that the final outputAmount is equal to _joinTokenStruct.outputAmount:
uint256 outputAmount = outputToken.balanceOf(address(this)); require( outputAmount == _joinTokenStruct.outputAmount, "FAILED_OUTPUT_AMOUNT" );
While these contracts are only for convenience, a theoretical attack exists here: a malicious actor can monitor the mempool and send the smallest fraction of the output token (basket) directly to the contract thus breaking this check.
Consider replacing == with >= .
duplicate #81
loki-sama
commented
2 years ago
Handle
pauliax
Vulnerability details
Impact
Token join contracts check that the final outputAmount is equal to _joinTokenStruct.outputAmount:
While these contracts are only for convenience, a theoretical attack exists here: a malicious actor can monitor the mempool and send the smallest fraction of the output token (basket) directly to the contract thus breaking this check.
Recommended Mitigation Steps
Consider replacing == with >= .