Closed code423n4 closed 2 years ago
Duplicate of #66
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L33-L35
Vulnerability details
Impact
There is a
WithdrawFacet
such that only the owner/admin can recover the lost funds in the contract. However, any user can retrieve the funds by using theswapTokensGeneric
function, which might be unexpected behavior.Proof of Concept
swapTokensGeneric
function with corresponding parameters to swap 1000 USDC to DAI via the Uniswap V2 router.swapTokensGeneric
function calls_executeSwaps
, which callsLibSwap.swap
. In this function, the contract checks whetherLibAsset.getOwnBalance(fromAssetId) < fromAmount
or not. If it has enough balance, it does not callLibAsset.transferFromERC20
to request the tokens from the caller.GenericSwapFacet.sol#L22-L44 Swapper.sol#L12-L23 LibSwap.sol#L33-L35
Recommended Mitigation Steps
If recovering funds by anyone is not the desired behavior, consider always transferring the funds from users before the first swap.