hats-finance / Spectra-0x4b792db3d2a5d1c1ccf9938380756b200c240e5d

Other
0 stars 1 forks source link

Permanent DOS on CURVE_SWAP command due to incorrect interface implemented in the dispatcher #6

Open hats-bug-reporter[bot] opened 2 weeks ago

hats-bug-reporter[bot] commented 2 weeks ago

Github username: @burhankhaja Twitter username: imaybeghost Submission hash (on-chain): 0x4ca80479c210e4fbdbd0521ddea2ee980757e9d3187aaa6e699308936a086a2f Severity: high

Description: Bug Category\ Protocol Insolvency

Description\ It is impossible to exchange tokens on curve pools via _dispatch(). The root-cause is in the discrepancy between the actual on-chain curve pool implementation of exchange() function and in the incorrect interface utilized in router contract.

Almost all the onchain curvefinance pool's exchange() function takes four parameters and none of them is the recepient address, instead it transfers exchanged tokens to the msg.sender

DAI-USDT-USDC Pool:

@external
@nonreentrant('lock')
def exchange(i: int128, j: int128, dx: uint256, min_dy: uint256):
    assert not self.is_killed  # dev: is killed
    rates: uint256[N_COINS] = RATES

    // ...skipped....
    // ...skipped....
    // ...skipped....

    log TokenExchange(msg.sender, i, dx, j, dy)

while as in the spectra's dispatcher, the recepient parameter is added along with another boolean parameter.

dispatcher.sol:

            ICurvePool(pool).exchange(
                i,
                j,
                amountIn,
                minAmountOut,
                false, // Do not use ETH
                recipient
            );

Therefore the EVM revert occurs everytime CURVE_SWAP command is executed resulting in the protocol insolvency

yanisepfl commented 1 week ago

Hello

We classified this issue as Invalid because you are referring to Curve's StableSwap3Pool.vy, whereas we use Curve's CurveCryptoSwap2ETH.vy. Also, please note that we are already live and propose many features implying Curve pools to our users.

Thanks