Re-entrancy in flash allows trader to steal funds from different Swapper contracts
Summary
In SwapperImpl.sol CEI is not followed allowing for re-entrancy in the internal function _transferToTrader. This triggers a callback for the msg.sender (trader) before _transferToBeneficiary is called.
This allows the trader to call flash on multiple Swapper contracts in a single transaction and steal tokens/ETH.
Vulnerability Detail
The following test can be inserted into the existing test suite.
ADD to set-up lines with // ADD THIS
Storage Variables:
SwapperImpl swapper2; // ADD THIS
address thief; // ADD THIS
This test shows that the thief, a trader, increases their ERC20 & ETH balance while decreasing the Swapper & Swapper2 balances. This also shows how this vulnerability causes the beneficiary to not gain anything
Change the _transferToTrader function to cache & return the amount of tokens to be transferred to the trader, then perform the transfer after _transferToBeneficiary has been called.
amaechieth
high
Re-entrancy in
flash
allows trader to steal funds from differentSwapper
contractsSummary
In SwapperImpl.sol CEI is not followed allowing for re-entrancy in the internal function
_transferToTrader
. This triggers a callback for themsg.sender
(trader) before_transferToBeneficiary
is called.This allows the trader to call
flash
on multipleSwapper
contracts in a single transaction and steal tokens/ETH.Vulnerability Detail
The following test can be inserted into the existing test suite.
ADD to set-up lines with // ADD THIS
Storage Variables:
Setup:
Add this test to test suite
Add this contract to test suite
Logs:
Impact
This test shows that the
thief
, a trader, increases their ERC20 & ETH balance while decreasing the Swapper & Swapper2 balances. This also shows how this vulnerability causes the beneficiary to not gain anythingCode Snippet
SwapperImpl.sol
SwapperImpl.sol
Tool used
Manual Review
Recommendation
Change the
_transferToTrader
function to cache & return the amount of tokens to be transferred to the trader, then perform the transfer after_transferToBeneficiary
has been called.Duplicate of #49