search

code-423n4 / 2024-02-wise-lending-findings

11 stars 8 forks source link

`PendlePowerFarmLeverageLogic` does not validate if `ENTRY_ASSET != WETH_ADDRESS ` before performing swap #129

Closed c4-bot-10 closed 7 months ago

c4-bot-10 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmLeverageLogic.sol#L246-L259 https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarm/PendlePowerFarmLeverageLogic.sol#L427-L440

Vulnerability details

Impact

Trying to enter a Pendle power farm on Arbitrum where the ENTRY_ASSET is the same as the WETH_ADDRESS will cause the transaction to revert due to the fact that Uniswap V3 doesn't have pools for same-token pairs.

Proof of Concept

PendlePowerFarmLeverageLogic has the following piece of code:

function _getTokensUniV3(
    uint256 _amountIn,
    uint256 _minOutAmount,
    address _tokenIn,
    address _tokenOut
)
    internal
    returns (uint256)
{
    return UNISWAP_V3_ROUTER.exactInputSingle(
        IUniswapV3.ExactInputSingleParams(
            {
                tokenIn: _tokenIn,
                tokenOut: _tokenOut,
                fee: UNISWAP_V3_FEE,
                recipient: address(this),
                deadline: block.timestamp,
                amountIn: _amountIn,
                amountOutMinimum: _minOutAmount,
                sqrtPriceLimitX96: 0
            }
        )
    );
}

This is used inside _logicOpenPosition to perform a swap as part of the flash loan repaying logic and is only called into when the chain is Arbitrum:

function _logicOpenPosition(
        bool _isAave,
        uint256 _nftId,
        uint256 _depositAmount,
        uint256 _totalDebtBalancer,
        uint256 _allowedSpread
    )
        internal
{
   // ...

    if (block.chainid == ARB_CHAIN_ID) {

        _depositAmount = _getTokensUniV3(
            _depositAmount,
            _getEthInTokens(
                    ENTRY_ASSET,
                    _depositAmount
                )
            * reverseAllowedSpread
            / PRECISION_FACTOR_E18,
            WETH_ADDRESS,
            ENTRY_ASSET
        );
    }

    // ...
}

The problem is that Uniswap V3 doesn't allow pools to exist where both tokens in the pair are the same token. This will cause a revert for power farms where the ENTRY_TOKEN is WETH.

Tools Used

Manual Review

Recommended Mitigation Steps

Check WETH_ADDRESS != ENTRY_ASSET as well before entering the block.

Assessed type

Uniswap

GalloDaSballo commented 7 months ago

Validation issue, QA at most

c4-pre-sort commented 7 months ago

GalloDaSballo marked the issue as insufficient quality report

c4-pre-sort commented 7 months ago

GalloDaSballo marked the issue as primary issue

c4-judge commented 7 months ago

trust1995 changed the severity to QA (Quality Assurance)

c4-judge commented 7 months ago

trust1995 marked the issue as grade-c