Closed code423n4 closed 2 years ago
Duplicate of #66
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L28 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibSwap.sol#L33
Vulnerability details
Impact
If the LiFiDiamond contract ends up holding any ERC20 token, any user is able to perform a swap from the held asset to another asset, and the swap will use the contracts' funds as input instead of their own. The result is that a user can take all of the funds from the contract.
Proof of Concept
Here is a link to a screenshot of a test running a simulation: https://drive.google.com/file/d/1Ac3KLufObZV7djHxVrmRlp9yjT7CW7E1/view?usp=sharing
Recommended Mitigation Steps