Open hats-bug-reporter[bot] opened 5 months ago
- Deposit same "fromAsset" and "toAsset" into the contract say 100DAI
- Set minOut to 100DAI to avoid loss
- Get back 100DAI
- And pay _vaultFee to the protocol from the "toAsset".
Set minOut to 100DAI to avoid loss
That is not how the minout works.
minOut is a user input based on the code. It only works in accordance wit what a user specifies.
Please provide PoC.
But the vulnerability is too obvious to require a PoC. Swapping one same token is allowed and this vulnerability is bound to happen.
Without a PoC I have determined it to be invalid. You have 2 options:
I understand. But why invalid without a reason?
The issue does not make sense. As in: I wrote the code for Catalyst but cannot understand any part of this issue.
I don't know how to provide you with any reason except that
- Deposit same "fromAsset" and "toAsset" into the contract say 100DAI
- Set minOut to 100DAI to avoid loss
- Get back 100DAI
- And pay _vaultFee to the protocol from the "toAsset".
function localSwap(
DAI,
DAI,
100*10**18,
100*10**18
)
This is my final verdict. I won't accept a PoC anymore for this issue and you need to raise it to Hats if you want a second opinion.
I apologise if I've crossed the line. I will work on a PoC and raise it to Hats if anything meaningful comes out of it.
Github username: -- Twitter username: 97Sabit Submission hash (on-chain): 0xd4b93bd899e8d4cd368be5a784be39dc05bfdec26e681b4b0450d3bf9e1486bd Severity: high
Description: Description\ The localSwap function allows the "fromAsset" and the "toAsset" to be one same token. For every swap, a _vaultFee is removed. A _vaultFee could either be
<=1e18
.And _vaultFee is removed from the "fromAsset".
Invariably, _vaultFee will be removed from the "toAsset" in the pool since "fromAsset" and "toAsset" are the same.
As a result, a malicious protocol or a malicious user can swap same asset in order for the _vaultFee to be removed from the pool and transferred to the protocol.
For example, a malicious protocol or a malicious user (who wants to drain the pool and benefit the protocol) can:
Note that the "toAsset" in the pool will keep decreasing and not increase as a result.
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultCommon.sol#L348
https://github.com/catalystdao/catalyst/blob/27b4d0a2bca177aff00def8cd745623bfbf7cb6b/evm/src/CatalystVaultAmplified.sol#L807