search

hats-finance / Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77

Core smart contracts of Velvet Capital
Other
0 stars 1 forks source link

DepositBatch - multiTokenSwapAndTransfer function tries to refund twice for the same token #36

Open hats-bug-reporter[bot] opened 1 week ago

hats-bug-reporter[bot] commented 1 week ago

Github username: @aktech297 Twitter username: kaka Submission hash (on-chain): 0xea28aee445e21b6cb0d4ff8bc4eca4e68da44fd4bad12f19e76d56095dbd6659 Severity: medium

Description: Description\ The function multiTokenSwapAndTransfer - first refund by traversing the array of tokens.

DepositBatch.sol#L73-L81

    //Return any leftover vault token dust to the user
    for (uint256 i; i < tokenLength; i++) {
      address _token = tokens[i];
      TransferHelper.safeTransfer(
        _token,
        user,
        _getTokenBalance(_token, address(this))
      );
    }

and then refund the _depositToken separately.

DepositBatch.sol#L85-L89

      TransferHelper.safeTransfer(
        _depositToken,
        user,
        _getTokenBalance(_depositToken, address(this))
      );

The issue here is, the array would have the _depositToken.

So, the logic would refund the same token twcie which will break due to insufficinet balance or transfer more when the contract has extra funds.

  1. Revised Code File (Optional) Please refer the swap flow where it is handle properly.

https://github.com/hats-finance/Velvet-Capital-0x0bb0c08fd9eeaf190064f4c66f11d18182961f77/blob/aa47c9ff85bcc2bede62978c3895668b549da125/contracts/bundle/DepositBatch.sol#L51-L65

langnavina97 commented 1 week ago

One process returns the portfolio tokens, while the other returns the deposit token. If the depositToken is a portfolioToken a balance of 0 will be returned. @aktech297