Closed code423n4 closed 1 year ago
kyscott18
commented
1 year ago What would a cast to uint256 even look like? It is the highest precision. Also, check out the uniswap periphery which does the same thing https://github.com/Uniswap/v3-periphery/blob/main/contracts/SwapRouter.sol#L67
c4-sponsor
commented
1 year ago kyscott18 requested judge review
berndartmueller
commented
1 year ago The LendgineRouter contract is a periphery contract and is not meant to hold funds. Besides, there are easier ways to sweep funds out of the contract by just using the Payment utils contract functions.
c4-judge
commented
1 year ago berndartmueller marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/c75b39dc93fe327039b097ba149e1abe90d3b2f5/src/periphery/SwapHelper.sol#L38-L43
Vulnerability details
Unsafe cast on
uniswapV3SwapCallbackcan get all assets in the contractSummary
Type cast with overflows doesn't throw an error / revert therefore, value can be transferred out just by calling the method.
Contracts that inherit from SwapHelper:
Vulnerability Detail
Even though Solidity 0.8.x is used, type casts do not throw an error. A SafeCast library must be used everywhere a typecast is done. SafeCast Reference.
Impact
Wrong values used over the code as overflow / underflow doesn't revert on cast
Proof of Concept
Underflow can occur due to unsafe cast at the following code of a int256 into uint256:
If value is sent with for example erc20 transfers to this contract, value can get drained afterwards by anybody that calls this method
Code Snippet
https://github.com/code-423n4/2023-01-numoen/blob/c75b39dc93fe327039b097ba149e1abe90d3b2f5/src/periphery/SwapHelper.sol#L38-L43
Tool used
Manual Review
Recommendation
Use safeCast library for conversions that can overflow / underflow