Closed c4-bot-3 closed 8 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #30
Readme: Other than the UTBFeeCollector, and DcntEth, the contracts are not intended to hold on to any funds or unnecessary approvals. Any native value or erc20 flowing through the protocol should either get delivered or refunded.
alex-ppg marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/main/src/swappers/UniSwapper.sol#L123-L141 https://github.com/code-423n4/2024-01-decent/blob/main/src/swappers/UniSwapper.sol#L143-L169
Vulnerability details
Impact
The malicious user can take out all the tokens from UniSwapper.sol using the functions
swapExactOut()
andswapExactIn()
Proof of Concept
The functions
swapExactOut()
andswapExactIn()
have the logic to send thepath
of swapping tokens to theswap_router
and then sending the tokens to the recipient. But the functions miss the logic for validating thatswapParams.tokenOut
should be same as the last token of thepath
provided to theswap_router
. This can lead to the swap_router swapping to token(specified by the path) other thanswapParams.tokenOut
.The malicious user can set the
swapParams.tokenOut
to be the token that they want to steal fromUniswapper.sol
and thepath
so that they can maximize the number of tokens that are coming after the swap.The
amountOut
number ofswapParams.tokenOut
tokens are send to the reciever(user).Tools Used
Manual Review
Recommended Mitigation Steps
Consider setting these functions
swapExactOut()
andswapExactIn()
as internal since these are called by the functionswap()
which also validates the input params.Assessed type
Other