search

sherlock-audit / 2023-04-splits-judging

4 stars 1 forks source link

bretzel - Difficulty to get swapper address if created #75

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

bretzel

medium

Difficulty to get swapper address if created

Summary

When we create a diversifier, we only returning the diversifier address. The diversifier address is only used for depositing (tokens and ETH) and sending token to the split address. If we want to distributing & withdrawing funds. We need to put the accounts who will receive the token as a parameter. However, if we create a swapper contract. The address is never returned or emit.

Vulnerability Detail

DiversifierFactory.sol#L66-L91

function createDiversifier(CreateDiversifierParams calldata params_) external returns (address diversifier) {
        // create pass-through wallet w {this} as owner & no passThrough
        PassThroughWalletImpl passThroughWallet = passThroughWalletFactory.createPassThroughWallet(
            PassThroughWalletImpl.InitParams({owner: address(this), paused: params_.paused, passThrough: ADDRESS_ZERO})
        );
        diversifier = address(passThroughWallet);

        // parse oracle params for swapper-recipients
        OracleImpl oracle = _parseOracleParams(diversifier, params_.oracleParams);

        // create split w diversifier (pass-through wallet) as controller
        (address[] memory sortedAccounts, uint32[] memory sortedPercentAllocations) =
            _parseRecipientParams(diversifier, oracle, params_.recipientParams);
        address passThroughSplit = splitMain.createSplit({
            accounts: sortedAccounts,
            percentAllocations: sortedPercentAllocations,
            distributorFee: 0,
            controller: diversifier
        });

        // set split address as passThrough & transfer ownership from factory
        passThroughWallet.setPassThrough(passThroughSplit);
        passThroughWallet.transferOwnership(params_.owner);

        emit CreateDiversifier(diversifier);
    }

Only the diversifier address is returned and emitted. We have no information if a swapper was created inside _parseRecipientParams or not.

Impact

Difficulty to get swapper address that are needed for distributing tokens inside SplitMain.

Code Snippet

File: DiversifierFactory.sol#L66-L133

Tool used

Manual Review

Recommendation

Return the address of all swapper or emit them.