Closed code423n4 closed 2 years ago
Duplicate of #66
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibSwap.sol#L33
Vulnerability details
Improper Token Balance Check on swap()
Description
The
swap()
can be separated in 2 paths, swap native to ERC20, or swap ERC20 to native. The contract performs afromAssetId
balance check before calling swap, mean that the attacker could periodically check for ERC20 token balance that was left in the contract then call for a swap by that amount to get free natives as a result.Permalinks
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibSwap.sol#L33
Mitigation
The
swap()
should ignore the balance in the contract, transfer the suppliedfromAmount
to the contract and swap by that amount.