Closed c4-bot-2 closed 4 months ago
Picodes marked the issue as primary issue
othernet-global (sponsor) disputed
Liquidity can only be added to whitelisted pools. If a pool was previously whitelisted, liquidity added, and then unwhitelisted - it is acceptable that users can still swap on the unwhitelisted pool as it has no effect on the exchange.
Picodes changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L363 https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L366-L378 https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/PoolsConfig.sol#L29
Vulnerability details
Impact
The
Pools.swap
function is used to swap one token for another via a direct whitelisted pool as described in the following natspec comment:Even though the
natspec
comment states that the swap should happen via awhitelisted pool
there is no check implemented in thePools.swap
function to ensure that thePool is whitelisted
. The whitelisted pools are stored in thePoolsConfig._whitelist
variable.But during the
Pools.swap
function execution flow there was no reference made to thePoolsConfig._whitelist
Bytes32Set to verify whether the pool that contains theswapTokenIn
andswapTokenOut
tokens is whitelisted even though theNatspec
comments states it should be.Hence there seems to be a lack of conditional check in the
Pools.swap
function which deviates the functionality from the expected behavior.Proof of Concept
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L363
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/Pools.sol#L366-L378
https://github.com/code-423n4/2024-01-salty/blob/main/src/pools/PoolsConfig.sol#L29
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to implement a check in the
Pools.swap
function to verify whether thepool containing the tokens to be swapped
are indeed whitelisted in theDEX
as thenatspec comment states
. This can be done by checking the poolID of the tokens to be swapped against the whitelisted pools stored in thePoolsConfig._whitelist
variable.Assessed type
Other