search

code-423n4 / 2022-03-lifinance-findings

6 stars 4 forks source link

Missing input validation could lead to loss of fund #84

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/GenericSwapFacet.sol#L30

Vulnerability details

Impact

A faulty input in GenericSwapFacet.swapTokensGeneric() could cause funds to get stuck in the contract.

In addition, tokens left in the LiFi contract can be retrieved by anyone (see issue: ERC20 withdrawals can be frontrun), leading to loss of fund.)

Proof of Concept

  1. Alice calls swapTokensGeneric(), inputting WETH as lifiData.receivingAssetId, USDC as swapData.sendingAssetId, and USDT as swapData.receivingAssetId.
  2. The contract swaps Alice's USDC to USDT, but tries to send WETH instead of USDT.
  3. Alice receives nothing and the USDT is now stuck in the contract.

Recommended Mitigation Steps

Ensure that lifiData.receivingAssetId is equal to receivingAssetId of the final _swapData.

itsmetechjay commented 2 years ago

Updated per warden to link to another issue submitted.

H3xept commented 2 years ago

Duplicate of #137

gzeoneth commented 2 years ago

Agree with sponsor this does not pose a functional risk. Changing to Low/QA.

gzeoneth commented 2 years ago

Consider with #81

gzeoneth commented 2 years ago

This should be a duplicate of #75 instead, I made a mistake during the deduplication process.