Open code423n4 opened 2 years ago
Completely agree with the validity of this finding. Even if the admin was not malicious, the bug will still continue to withdraw additional fees which were not included as part of the swap calculations. LPs would lose considerable value as a result.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/connext/libraries/SwapUtils.sol#L1053-L1062
Vulnerability details
self.adminFees[i]
should be reset to 0 every time it's withdrawn. Otherwise, theadminFees
can be withdrawn multiple times.The admin may just be unaware of this issue and casualty
withdrawAdminFees()
from time to time, and rug all the users slowly.Recommendation
Change to: