search

code-423n4 / 2022-03-lifinance-findings

6 stars 4 forks source link

A swap with a token amount received of zero does not fail #98

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-lifinance/blob/main/src/Facets/NXTPFacet.sol#L165

Vulnerability details

Impact

A token swap via NXTPFacet::swapAndCompleteBridgeTokensViaNXTP in which the receiving amount of tokens is zero does not fail.

Proof of Concept

The function NXTPFacet::swapAndCompleteBridgeTokensViaNXTP does not require that the token balance after the swap is higher than the token balance before the swap (see line 165).

Recommended Mitigation Steps

Add a require statement checking that postSwapBalance - startingBalance > 0 after the _executeSwap call.

H3xept commented 2 years ago

Fixed in lifinance/lifi-contracts@87a27cee2fbde337c4ab873971f37573d2240994

H3xept commented 2 years ago

Duplicate of #76