Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/lib.rs#L1149-L1150 https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/wasm_erc20.rs#L158

Vulnerability details

Impact

The collect_protocol_7540_F_A_9_F method in the Pools struct of the lib.rs contract of the Seawater package is responsible for collecting protocol fees. It uses the transfer_to_addr function to transfer tokens to the recipient. However, the first parameter passed is the recipient address, and the second is the token address. In the transfer_to_addr function of the wasm_erc20.rs contract, the first parameter is expected to be the token address and the second the recipient address. Due to the incorrect parameter, the tokens will not be transferred correctly to the recipient, causing a failure in the fee collection process.

Proof of Concept

The collect_protocol_7540_F_A_9_F method in the Pools struct of the lib.rs contract within the Seawater package is responsible for collecting protocol fees and transferring tokens to the recipient. It uses the transfer_to_addr function, where the first parameter is the recipient address and the second is the token address. pkg/seawater/src/lib.rs:collect_protocol_7540_F_A_9_F-L1149-L1150

                #[allow(non_snake_case)]
                pub fn collect_protocol_7540_F_A_9_F(
                    &mut self,
                    pool: Address,
                    amount_0: u128,
                    amount_1: u128,
                    recipient: Address,
                ) -> Result<(u128, u128), Revert> {
                    assert_eq_or!(
                        msg::sender(),
                        self.seawater_admin.get(),
                        Error::SeawaterAdminOnly
                    );

                    let (token_0, token_1) = self
                        .pools
                        .setter(pool)
                        .collect_protocol(amount_0, amount_1)?;

1149 @audit=>       erc20::transfer_to_addr(recipient, pool, U256::from(token_0))?;
1150 @audit=>       erc20::transfer_to_addr(recipient, FUSDC_ADDR, U256::from(token_1))?;

                    #[cfg(feature = "log-events")]
                    evm::log(events::CollectProtocolFees {
                        pool,
                        to: recipient,
                        amount0: token_0,
                        amount1: token_1,
                    });

                    // transfer tokens
                    Ok((token_0, token_1))
                }

The issue arises because the transfer_to_addr function in the wasm_erc20.rs contract expects the first parameter to be the token address and the second to be the recipient address. Passing the parameters in the incorrect order results in the recipient failing to receive the tokens. pkg/seawater/src/wasm_erc20.rs:transfer_to_addr-L158

/// Sends ERC20 tokens to a specific recipient.
///
/// # Side effects
/// Transfers ERC20 tokens to a recipient.

158 @audit=>    pub fn transfer_to_addr(token: Address, recipient: Address, amount: U256) -> Result<(), Error> {
                    safe_transfer(token, recipient, amount)
                }

To resolve this issue, it is recommended that the collect_protocol_7540_F_A_9_F method should pass the parameters correctly when calling transfer_to_addr.

Tools Used

Manual Review

Recommended Mitigation Steps

It is recommended to modify the collect_protocol_7540_F_A_9_F method to pass the correct parameters when calling the transfer_to_addr function. The first parameter should be the token address, the second should be the recipient address, and the third should be the amount of tokens to be transferred.

Assessed type

Token-Transfer

code-423n4 / 2024-08-superposition-validation

Incorrect Parameter in `collect_protocol_7540_F_A_9_F` Method of `lib.rs` Causes Token Transfer Failure when Collecting Protocol Fees #167