As the final call to transfer the token from the caller to the vault depends on the transferFrom function, a normal user can not deposit the token using the function multiTokenSwapAndTransfer in DepositBatch contract.
multiTokenSwapAndTransfer calls the multiTokenDepositFor function with following parameters.
multiTokenDepositFor works based on the approval based mechanism. whoever calls the multiTokenDepositFor, they should self-approve the contract to spend tokens. Because, the final call to deposit the token is done like this.
while the above call routine would work if deposit is made by directly calling the multiTokenDepositFor in the portfolio contract, but will not work for the call made through the DepositBatch
when the multiTokenDepositFor is called in DepositBatch, the msg.sender will be the DepositBatch contract.
DepositBatch - msg.sender approves the portfolio contract to spend token - this is not used anywhere.
Nowhere, the approval for DepositBatch by the DepositBatch contract is done.
Due to this, the final call to transfer token using the transferFrom will revert due to insufficinet approval,
Impact\
Token can not be deposited through the DepositBatch contract.
Revised Code File (Optional)
DepositBatch contract should self-approve for itself to spend token when calling the tranferFrom function.
Github username: -- Twitter username: -- Submission hash (on-chain): 0xe7e1fdbf608a60508e54e95b612ad21d78b70e5c7d0d3d8bacb7960a9d0883b1 Severity: medium
Description: Description\
As the final call to transfer the token from the caller to the vault depends on the
transferFrom
function, a normal user can not deposit the token using the functionmultiTokenSwapAndTransfer
in DepositBatch contract.multiTokenSwapAndTransfer
calls themultiTokenDepositFor
function with following parameters.DepositBatch.sol#L67-L71
multiTokenDepositFor
works based on the approval based mechanism. whoever calls themultiTokenDepositFor
, they should self-approve the contract to spend tokens. Because, the final call to deposit the token is done like this.management/VaultManager.sol#L480-L486
where the
_from
is the caller.VaultManager.sol#L357-L363
since the
caller(msg.sender)
is the_from
, in the above call, the caller should approve themselve to spend the token. This is unexpected.Refer the following function call to know the who is caller.
multiTokenDepositFor - _multiTokenDeposit - _handleTokenTransfer - here
while the above call routine would work if deposit is made by directly calling the
multiTokenDepositFor
in the portfolio contract, but will not work for the call made through theDepositBatch
when the
multiTokenDepositFor
is called inDepositBatch
, the msg.sender will be theDepositBatch
contract.DepositBatch
-msg.sender
approves the portfolio contract to spend token - this is not used anywhere.Nowhere, the approval for DepositBatch by the DepositBatch contract is done.
Due to this, the final call to transfer token using the transferFrom will revert due to insufficinet approval,
Impact\
Token can not be deposited through the
DepositBatch
contract.DepositBatch
contract should self-approve for itself to spend token when calling the tranferFrom function.