Closed code423n4 closed 2 years ago
Duplicate of #62
Agree with sponsor this does not pose a functional risk. Changing to Low/QA.
Consider with warden's QA Report #139
This should be a duplicate of https://github.com/code-423n4/2022-03-lifinance-findings/issues/75 instead, I made a mistake during the deduplication process.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/GenericSwapFacet.sol#L22
Vulnerability details
Impact
https://github.com/code-423n4/2022-03-lifinance/blob/main/docs/GenericSwapFacet.md
stated that_lifiData
is strictly for analytics purposes. But_lifiData
is used to set receivingAsset.Proof of Concept
In
GenericSwapFacet.swapTokensGeneric
,_lifiData.receivingAssetId
is used inLibAsset.getOwnBalance
andLibAsset.transferAsset
.https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/GenericSwapFacet.sol#L22
Tools Used
Manual code review.
Recommended Mitigation Steps
In order to follow the policy, there should be a new parameter
GenericSwapData
.