Open code423n4 opened 2 years ago
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
We are aware that the contract allows users to use latent funds, although we disagree on it being an issue as no funds (ERC20 or native) should ever lay in the contract. To make sure that no value is ever kept by the diamond, we now provide refunds for outstanding user value (after bridges/swaps).
Keeping this and all duplicates as Med Risk. There can be fund leftover in the contract under normal operation, for example this tx. In fact, ~$300 worth of token is left in the LI.Fi smart contract on ETH mainnet 0x5a9fd7c39a6c488e715437d7b1f3c823d5596ed1 as of block 14597316. I don't think this is High Risk because the max amount lost is no more than allowed slippage, which can be loss to MEV too.
This has been fixed in the most recent version of src/Helpers/Swapper.sol
which sweeps any latent funds back to the user's wallet.
Lines of code
LibSwap.swap GenericSwapFacet.sol
Vulnerability details
Impact
Remaining or unaccounted ERC20 balance could be freely taken through
swapTokensGenerics
andswap
.Proof of Concept
Given:
There has been a deposit to LiFi of a non-native ERC20 that makes
LibAsset.getOwnBalance(fromAssetId)
a desirable amount.Attacker calls
swapTokensGeneric
with a_swapData.fromAmount
value just belowLibAsset.getOwnBalance(fromAssetId)
.First
if
statement inswap
is skipped (no funds are tranferred to LiFis contract).LibAsset.getOwnBalance(_lifiData.receivingAssetId)
postSwapBalance
and transfered to attacker.Tools Used
Recommended Mitigation Steps
Ensure funds are always subtracted from users account in
swap
, even if LiFi has enough balance to do the swap.