swapTokensForExactTokens will transfer the entire balance of assetIn to msg.sender after swap, which allows anyone to steal funds stuck in the contract and conflicts with emergencyWithdraw
swapTokensForExactTokens will transfer the entire balance of assetIn to msg.sender after swap.
The correct approach should be like swapTokensForExactETH, only transfer amountInMax - amount[0].
Lines of code
https://github.com/GoodEntry-io/ge/blob/c7c7de57902e11e66c8186d93c5bb511b53a45b8/contracts/helper/V3Proxy.sol#L134
Vulnerability details
Impact
swapTokensForExactTokens will transfer the entire balance of assetIn to msg.sender after swap, which allows anyone to steal funds stuck in the contract and conflicts with emergencyWithdraw
Proof of Concept
swapTokensForExactTokens will transfer the entire balance of assetIn to msg.sender after swap. The correct approach should be like swapTokensForExactETH, only transfer
amountInMax - amount[0]
.Tools Used
Manual review
Recommended Mitigation Steps
Modify transfer amount
Assessed type
Context