Admin cannot collect protocol fee due to Incorrect Parameter Order in ERC20 Transfer Function Call

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L1149-L1150

Vulnerability details

Impact

• If the recipient address is not a valid token contract, the function will consistently revert so admin cannot collect the protocol fee.
• If the recipient address is a valid token contract , The function calls transfer tokens from the wrong addresses (the recipient address instead of the intended token address).

Either way admin cannot collect the protocol fee

Proof of Concept

In the collect_protocol_7540_F_A_9_F function, there is a misuse of the erc20::transfer_to_addr function. The correct parameter order for this function is (token, recipient, amount) https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/wasm_erc20.rs#L158

but in the current implementation, the order is incorrect as it sending recipient in place of token Address .

erc20::transfer_to_addr(recipient, pool, U256::from(token_0))?;
erc20::transfer_to_addr(recipient, FUSDC_ADDR, U256::from(token_1))?;

Tools Used

Manual Review

Recommended Mitigation Steps

Correct the parameter order in the erc20::transfer_to_addr function calls:

erc20::transfer_to_addr(pool, recipient, U256::from(token_0))?;
erc20::transfer_to_addr(FUSDC_ADDR, recipient, U256::from(token_1))?;

Assessed type

Token-Transfer