Open hats-bug-reporter[bot] opened 5 months ago
It will eventually hit: https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/src/CatalystVaultAmplified.sol#L267
Will revert if the token is either to or from a token not part of the contract.
See https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/issues/29 for a similar bug.
Github username: @ololade97 Twitter username: 97Sabit Submission hash (on-chain): 0x95c1d4818f21bfe050a814e412cfd4185f4e0fcb30bb2a18a44f152ec2c80360 Severity: high
Description: Description\ In the depositMixed function, it doesn't check the types of tokens being deposited by a user. An attacker can deposit fake tokens into the contract.
Then, call the localSwap function. The fake token deposited would be passed as the
fromAsset
address. And theassetTo
would be the real asset address in the contract.This allows an attacker to exchange fake tokens for real tokens.
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L807-L846
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L290