DepositBatch : `multiTokenSwapAndTransfer` - swap can not happen as the allowance is not set to SWAP_TARGET

[hats-bug-reporter[bot]]

Github username: @aktech297 Twitter username: kaka Submission hash (on-chain): 0x7ac0dd7fe131b7525b62e9a560ad4c75efd14b2f6469a2be9a14b2ad11d4ac87 Severity: medium

Description: Description\ The functio multiTokenSwapAndTransfer, swaps the user's single token (chosen by the user) to vault tokens of a portfolio using Enso and deposits the tokens into the portfolio, issuing the user portfolio tokens. If the token to swap is the same as a portfolio token, the user's amount is simply passed as calldata.

to swap the tokens, the enso's router is used to swap.

DepositBatch.sol#L57-L61

      } else {
        (bool success, ) = SWAP_TARGET.delegatecall(data._callData[i]);
        if (!success) revert ErrorLibrary.CallFailed();
        balance = _getTokenBalance(_token, address(this));
      }

for this, the router need to be set allowance to spend tokens when swap.

In this function, the allowance value is not set, hence the swap operation can not be executed succesfully.

Impact\

Swap operation break so the multiTokenSwapAndTransfer action as well.

Attachments

1. Proof of Concept (PoC) File

DepositBatch.sol#L57-L61

      } else {
        (bool success, ) = SWAP_TARGET.delegatecall(data._callData[i]);
        if (!success) revert ErrorLibrary.CallFailed();
        balance = _getTokenBalance(_token, address(this));
      }

2. Revised Code File (Optional)

Set allowance to the SWAP_TARGET contract before calling the swap.

[aktech297]

kindly note that in WithdrawBatch contract also where the swap is done, the allowance is not set to the router.

[langnavina97]

The Enso Router does not need allowance as it uses delegatecall to execute the swaps directly from the caller. @aktech297