(bool aggSuccess, ) = address(swapRouter).call(
abi.encodeWithSignature(
"swapExactTokensForETH(uint256,uint256,address[],address,uint256)",
fromAmount,
amountOutMin,
path,
recipient,
type(uint).max // Assuming using the maximum uint256 value as the deadline
)
);
require(aggSuccess, "swapExactTokensForETH failed");
If there are no extra funds in the target, the exchange will fail. Even if there are excess funds, this will occupy other funds for exchange.
Tools Used
manual
Recommended Mitigation Steps
It is recommended to determine the fromAmount when exchanging based on the actual number of tokens transferred to the target.
Lines of code
https://github.com/code-423n4/2024-06-thorchain/blob/e3fd3c75ff994dce50d6eb66eb290d467bd494f5/chain/ethereum/contracts/THORChain_Router.sol#L347-L360
Vulnerability details
Impact
If the fromAsset in the _transferOutAndCallV5 function is a fee-on token, the exchange may fail.
Proof of Concept
If fromAsset in the _transferOutAndCallV5 function is a charging token, first transfer the funds to the target, and the amount is fromAmount. Since it is a fee-based token, the amount received by target must be less than fromAmount.
Then call the target for redemption, and the incoming parameter is fromAmount.
In the target, the swapOutV5 function also uses fromAmount for exchange.
If there are no extra funds in the target, the exchange will fail. Even if there are excess funds, this will occupy other funds for exchange.
Tools Used
manual
Recommended Mitigation Steps
It is recommended to determine the fromAmount when exchanging based on the actual number of tokens transferred to the target.
Assessed type
ERC20