msg.value is attached to external swap calls in LibSwap.swap() even if the fromAssetId is not the native token.
The function LibSwap.swap() will always include msg.value as seen on the line _swapData.callTo.call{ value: msg.value }(_swapData.callData);. If the sender has sent msg.value in the transaction, for example if they have multiple swap paths and the first one is the native token. Then this value is included for all other swap paths.
The impact is that there is either insufficient balance in the contract in which case the transaction will always revert. Alternatively, if there is sufficient balance in the contract then it will be transferred in the external call potentially draining the contract of funds.
Proof of Concept
In the function below msg.value is always sent in the external call even if the fromAssetId is not the native token.
Consider only attaching value to the external call if fromAssetId is the native token. Alternatively do not allow for the native token to be used in the protocol and instead enforce it to be swapped in an ERC20.
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Libraries/LibSwap.sol#L29-L46
Vulnerability details
Impact
msg.value
is attached to external swap calls inLibSwap.swap()
even if thefromAssetId
is not the native token.The function
LibSwap.swap()
will always includemsg.value
as seen on the line_swapData.callTo.call{ value: msg.value }(_swapData.callData);
. If the sender has sentmsg.value
in the transaction, for example if they have multiple swap paths and the first one is the native token. Then this value is included for all other swap paths.The impact is that there is either insufficient balance in the contract in which case the transaction will always revert. Alternatively, if there is sufficient balance in the contract then it will be transferred in the external call potentially draining the contract of funds.
Proof of Concept
In the function below
msg.value
is always sent in the external call even if thefromAssetId
is not the native token.Recommended Mitigation Steps
Consider only attaching
value
to the external call iffromAssetId
is the native token. Alternatively do not allow for the native token to be used in the protocol and instead enforce it to be swapped in an ERC20.