search

code-423n4 / 2022-05-backd-findings

0 stars 0 forks source link

Able to get LP tokens without spending any funds in ```FeeBurner.sol``` #156

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

FeeBurner.sol#L43-L88

Vulnerability details

Impact

In the burnToTarget function, if the tokens_ array has only a zero address token and msg.value is 0 then FeeBurner.sol would still call the swapAll function and use all WETH held in the contract. If the contract has any WETH, the caller would get LP tokens of the target pool without using any of their funds.

Proof of Concept

  1. An attacker calls the burnToTarget function with tokens_ array containing only a zero address token and msg.value as 0.

  2. The for loop would end before any actual transfer from the caller to the contract takes place and the require condition on line 75 would pass since msg.value is 0.

  3. FeeBurner.sol approves the swapper router to use an infinite amount of its WETH and then calls the swapper router's swapAll function to swap all of its WETH for the underlying token of the target pool.

  4. The underlying tokens are then deposited into the target pool and the contract receives the target pool's LP tokens which it sends to the caller.

Recommended Mitigation Steps

Check the WETH balance before and after the for loop and revert if the balance has not increased.

chase-manning commented 2 years ago

The contract would not have any WETH sitting it in from normal use. The only way this would happen is if a user randomly transferred WETH to the contract. And if they want to do that, it's better for it to go to a random user, than to be stuck permanently.

GalloDaSballo commented 2 years ago

Disputed as router contract, send funds at your own peril