Closed code423n4 closed 2 years ago
If someone sends an invalid request to the fee burner (such as two ETH pools), then it is expected that the transaction should fail. That is the intended behaviour.
The second call will fail as there will be no ETH to send to the SwapperRouter, for that reason I believe the finding to be invalid
Lines of code
https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/RewardHandler.sol#L40-L50
Vulnerability details
Impact
If more than one pool has
underlying = address(0)
thenRewardHandler.burnFees()
will fail or use ETH balance fromFeeBurner.sol
.Proof of Concept
RewardHandler.sol#L40-L50
FeeBurner.sol#L56-L65
RewardHandler.burnFees()
callsfeeBurner.burnToTarget()
with its entireethBalance
.underlying = address(0)
thenfeeBurner.burnToTarget()
will try to swap the entireethBalance
fromRewardHandler
twice.Tools Used
Manual Review
Recommended Mitigation Steps
Don't loop over using the same
msg.value
when dealing with multiple pools usingunderlying = address(0)
. Instead make theswap
based on an individual per token basis.