ApproveSwapAndPay.sol is vulnerable to address collision
Summary
ApproveSwapAndPay#uniswapV3SwapCallback never verifies that the callback msg.sender is actually a deployed pool. This allows for a provable address collision that can be used to drain all allowances to the callback.
Vulnerability Detail
See detail, this protocol use the same hash algorithm to get the pool address, which means that the pool address is possible to hash collision with truncated issue from uint256 to uint160.
When uniswapV3SwapCallback, it use same hash algorithm with kyber swap to get the pool address when uniswapV3SwapCallback. However, it's possible to get the malicious msg.sender address with different tokens due to truncated issue from uint256 to uint160, which means that the callback msg.sender can be a malicious address, and when brute force with 2^82, the hash collision becomes 99.96%. So attacker could use token0 = WETH and vary token1 to call uniswapV3SwapCallback to drain all allowances when callback.
Impact
Address collision can cause all allowances to be drained
pks_
medium
ApproveSwapAndPay.sol is vulnerable to address collision
Summary
ApproveSwapAndPay#uniswapV3SwapCallback never verifies that the callback msg.sender is actually a deployed pool. This allows for a provable address collision that can be used to drain all allowances to the callback.
Vulnerability Detail
See detail, this protocol use the same hash algorithm to get the pool address, which means that the pool address is possible to hash collision with truncated issue from uint256 to uint160.
When uniswapV3SwapCallback, it use same hash algorithm with kyber swap to get the pool address when uniswapV3SwapCallback. However, it's possible to get the malicious msg.sender address with different tokens due to truncated issue from uint256 to uint160, which means that the callback msg.sender can be a malicious address, and when brute force with 2^82, the hash collision becomes 99.96%. So attacker could use token0 = WETH and vary token1 to call uniswapV3SwapCallback to drain all allowances when callback.
Impact
Address collision can cause all allowances to be drained
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/ApproveSwapAndPay.sol#L242C14-L258
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/abstract/ApproveSwapAndPay.sol#L275-L285
Tool used
vscode, Manual Review
Recommendation
Verify the ApproveSwapAndPay#uniswapV3SwapCallback msg.sender is a valid pool.
Duplicate of #158