Open c4-submissions opened 1 year ago
The vulnerability is obvious. The excess tokens in swapTokensForExactETH are not returned to the user, resulting in loss of funds.
ogInAsset.safeTransfer(msg.sender, amountInMax - amounts[0]);
Obtain the actual amount of funds used by returning the value, calculate the difference and return the excess funds.
LGTM
gzeon-c4 marked the issue as confirmed for report
gzeon-c4 marked the issue as satisfactory
Lines of code
Vulnerability details
Comments
The vulnerability is obvious. The excess tokens in swapTokensForExactETH are not returned to the user, resulting in loss of funds.
Mitigation
Obtain the actual amount of funds used by returning the value, calculate the difference and return the excess funds.
Conclusion
LGTM