Malicious user can take out all tokens from UniSwapper.sol using the function swapNoPath()
Proof of Concept
Initially, the public function swapNoPath() lacks input validation.
A potential security concern arises when a malicious user, having configured the swapParams.direction as SwapDirection.EXACT_IN, invokes the function. Subsequently, the function transfers the specified amount of tokens (swapParams.amountIn) to itself, as facilitated by _receiveAndWrapIfNeeded(). Following this, an equal quantity of swapParams.tokenOut tokens is then transferred to the designated receiver.
This is seen in this following snippet
The malicious user can create their own ERC20 token and then call this function while setting swapParams.amountOut as the token they want to steal and swapParams.amountIn as their own built ERC20 token.
And will steal all the tokens present in this address.
Tools Used
Manual Review
Recommended Mitigation Steps
This function is supposed to be internal and not public since it is not validating any inputs and is called by the function swap()
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/main/src/swappers/UniSwapper.sol#L100-L121
Vulnerability details
Impact
Malicious user can take out all tokens from
UniSwapper.sol
using the functionswapNoPath()
Proof of Concept
Initially, the public function swapNoPath() lacks input validation.
A potential security concern arises when a malicious user, having configured the swapParams.direction as SwapDirection.EXACT_IN, invokes the function. Subsequently, the function transfers the specified amount of tokens (swapParams.amountIn) to itself, as facilitated by _receiveAndWrapIfNeeded(). Following this, an equal quantity of
swapParams.tokenOut
tokens is then transferred to the designated receiver. This is seen in this following snippetThe malicious user can create their own ERC20 token and then call this function while setting
swapParams.amountOut
as the token they want to steal andswapParams.amountIn
as their own built ERC20 token. And will steal all the tokens present in this address.Tools Used
Manual Review
Recommended Mitigation Steps
This function is supposed to be internal and not public since it is not validating any inputs and is called by the function
swap()
Assessed type
ERC20