Open hats-bug-reporter[bot] opened 2 months ago
But they are not supposed to be public as this allows users to call the functions with the collateral tokens they like and therefore bypassing the functionality from the MainnetRouter and BaseRouter.
They are supposed to be used, at they allow dealing with any ERC20, not just DAI / sDAI
they are used if you split/merge from/to sDAI
But they are not supposed to be public as this allows users to call the functions with the collateral tokens they like and therefore bypassing the functionality from the MainnetRouter and BaseRouter.
They are supposed to be used, at they allow dealing with any ERC20, not just DAI / sDAI
sDAI / DAI is claimed to be the only collateral here:
https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/issues/16 https://github.com/hats-finance/SeeR-PM-0x899bc13919880db76edf4ccd72bdfa5dfa666fb7/issues/4
they are used if you split/merge from/to sDAI
The functions that are responsible for this are the functions in the MainnetRouter
and GnosisRouter
@xyzseer @greenlucid Can you please reconsider this?
Having functions that are not used yet is not an issue (we could in the future extend the use to other ERC20).
As per contest rules, are excluded:
Github username: -- Twitter username: -- Submission hash (on-chain): 0x57796cb5bc251f4258e3d981eda97c011cac4b00b182fec383ce6ed3b7c2f8a1 Severity: low
Description: Description\
At the moment
Router
contract serves as a base contract forMainnetRouter
andGnosisRouter
. The problem is that inside of theRouter
the functionssplitPositions
,mergePositions()
andredeemPositions()
are marked as public even though they are not supposed to be used.Attack Scenario\
Currently
splitPositions()
inside of theRouter
smart contract is marked aspublic
:Router.sol::37
Same thing with
redeemPositions()
andmergePositions()
:Router.sol::90
Router.sol::143
But they are not supposed to be public as this allows users to call the functions with the collateral tokens they like and therefore bypassing the functionality from the
MainnetRouter
andBaseRouter
.Recommendation Make functions internal instead of public as
MainnetRouter
andBaseRouter
inherit from theRouter
and the users has to be not able to enter with different collateral token other than DAI