Closed sherlock-admin closed 1 year ago
Protocol already use a comment to acknowledge the issue + swapper owner is considered trusted:
Q: Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED? no protocol owner(s); oracle, swapper, & pass-through-wallet owners are TRUSTED
obront
medium
Owner can steal accumulated
payback
Summary
If any ETH is sent to the
payback()
function with the intention to accumulate until the nextflash()
call (as described in the code comments), it can be stolen by the owner of the Swapper in advance of the swap being performed.Vulnerability Detail
The
SwapperImpl.sol
contract implements apayback()
function that is used by swappers if$tokenToBeneficiary == ETH
to pay back theamountToBeneficiary
after performing the swap.According to the comments, the
payback()
function is intended to accumulate until the next flash call. This feature can be used by a swapper to pay back some of the ETH in advance, and only later perform the flash call to receive the assets.However, if a swapper were ever to use this feature, their ETH could be stolen by the owner of the Swapper.
That's because
SwapperImpl
inherits fromWalletImpl
, which has the following function:This function allows the owner of the Swapper to perform any arbitrary action on the Swapper's behalf, including sending its ETH.
If the owner removes all ETH from the contract, then when the swapper does finally perform its action to take the assets, the following subtraction will underflow and fail:
As a result, the swapper will not be able to receive their assets, and the owner will have stolen their ETH.
Impact
Any swappers who
payback()
ETH in advance, expecting it to accumulate in the contract as specified in the comments, can have their ETH stolen.Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L194-L200
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-swapper/src/SwapperImpl.sol#L268-L271
Tool used
Manual Review
Recommendation
The
SwapperImpl.sol
contract should not inherit fromWalletImpl
— it gives the owner too much power.Alternatively, the comment should be removed that tells swappers that they can send ETH that will accumulate until the next flash call, as they should know that any ETH they deposit to the contract outside of the context of a
flash()
call can be stolen.