howlbot-integration[bot] commented 4 months ago

Lines of code

Vulnerability details

There are 2 issues

As there are no events of any V5 based functions that are being parsed in smartcontract_log_parser.go due to which all of the v5 function based txn will be considered invalid.
This issue also lies in the _routerDeposit which also doesn't emit any event due to which transferAllowance txn would be considered valid if the router is different.

In the discord server it was mentioned that any V5 functionality that isn't in smartcontract_log_parser should be considered out of scope, even in this case the second impact stands true and it seems to be huge to consider this finding a medium severity one.

Proof of Concept

In the readme one of the core invariants is: Only valid events emitted from the Router contract itself should result in the txInItem parameter being populated in the GetTxInItem function of the smartcontract_log_parser

The current implementation seems to completely break this invariant not only for V5 functions but also for _routerDeposit

Manual review

Other

c4-judge commented 4 months ago

trust1995 changed the severity to 3 (High Risk)

c4-judge commented 4 months ago

trust1995 marked the issue as satisfactory

c4-judge commented 4 months ago

trust1995 marked the issue as unsatisfactory: Out of scope