Picodes
commented
1 year ago The recipient of the trade is msg.sender, meaning the output of the trade is transferred directly to msg.sender
Closed code423n4 closed 1 year ago
Picodes
commented
1 year ago The recipient of the trade is msg.sender, meaning the output of the trade is transferred directly to msg.sender
c4-judge
commented
1 year ago Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/DepositTradeHelper.sol#L33
Vulnerability details
Impact
depositAndTradefunction seems to be incomplete - the tokenOutput from_swapRouteris currently owned byDepositTradeHelperaccount and needs to be transferred back tomsg.senderwho initiated this transaction. Since this contract doesn't seem to be part of core contracts of protocol (although listed in audit scope), I've marked it asMEDIUMrisk.Current implementation does not use return value of
_swapRouter.exactInputSingle()in line 33. As per UniswapV3 docs,exactInputSinglefunction returns a token output valueamountOutputas belowSince such tokens rightfully belong to
msg.sender, a transfer of the said token needs to be implemented to complete the loop (with a nonReentrant) modifierProof of Concept
Bob signs a offchain message to approve USDC in his wallet to be spent by
DepositTradeHelper. Contract executesdepositAndTradefunction to swap out USDC for long/short tokens of saySpaceX prePO. Bob does not see the tokens in his wallet even after successful execution of the transactionTools Used
Recommended Mitigation Steps
Helper should complete the loop -> by transferring tokens returned by Uniswap V3 router to msg.sender. Consider code below as a suggested replacement for Line 33 in existing code base
Not to forget, this function needs to use the
nonReentrantmodifier