The localSwap function does not verify that the fromAsset and toAsset are different

[hats-bug-reporter[bot]]

Github username: -- Twitter username: 97Sabit Submission hash (on-chain): 0x5172b2b61ea439c3993f2b1722b84a12c54620b402d1160471f8d11dfeba07f6 Severity: high

Description: Description\ The localSwap function does not verify that the fromAsset and toAsset are different before performing a swap. What this means is that same token can be swapped for one another.

This allows an attacker to increase the balance of the toAsset before performing the swap.

Since there is a provision for minOut, an attacker can specify an amount greater than the input amount to ensure he loses nothing.

1. Proof of Concept (PoC) File

   https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L807

[reednaa]

Not an issue. Relevant test: https://github.com/hats-finance/Catalyst-Exchange-0x3026c1ea29bf1280f99b41934b2cb65d053c9db4/blob/fba322fab023a9206183fb455e9f86facd550d8a/evm/test/CatalystVault/SelfSwap.t.sol#L63

Please provide a PoC that this is exploitable if you disagree.

[reednaa]

There is another participant who wants to claim a similar issue. If you want to reclaim, please resubmit with a PoC.