Mathepreneur
commented
2 years ago We want to give the caller (the owner of the bond and insurance tokens) the ability to transfer the asset ERC20 token and collateral ERC20 token to different addresses.
Closed code423n4 closed 2 years ago
Mathepreneur
commented
2 years ago We want to give the caller (the owner of the bond and insurance tokens) the ability to transfer the asset ERC20 token and collateral ERC20 token to different addresses.
0xean
commented
2 years ago as designed, closing as invalid.
Handle
defsec
Vulnerability details
Impact
During the code review, It has been observed that asset and collateral check is missing. On the timeswap pair, the checks are not implemented and that can cause misintended behaviours.
Proof of Concept
https://github.com/code-423n4/2022-01-timeswap/blob/main/Timeswap/Timeswap-V1-Core/contracts/TimeswapPair.sol#L265
Tools Used
None
Recommended Mitigation Steps
Consider checking AssetTo and CollateralTo if they are same.