search

code-423n4 / 2023-09-goodentry-mitigation-findings

0 stars 0 forks source link

M-01 MitigationConfirmed #35

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Comments

In order to be compatible with the uniswap v2 interface, the V3Proxy contract uses a to parameter, whose original intention is to specify the address to which the tokens are to be sent. But in this protocol tokens are always sent to msg.sender, not to, this is by design. However, users may misunderstand and mistakenly set different addresses that do not match the intended intent.

Mitigation

require(msg.sender == to, "Swap to self only");

Emphasize this by strictly restricting msg.sender == to

Suggestion

Explain to users in documentation

Conclusion

LGTM

c4-judge commented 12 months ago

gzeon-c4 marked the issue as confirmed for report

c4-judge commented 12 months ago

gzeon-c4 marked the issue as satisfactory