Closed sherlock-admin closed 11 months ago
This variable determines whether the Sale token is a 0th token. The direction of the swap is determined by the name of the variables Sale token and Hold token.When borrowed, a Sale token is always sold when the loan is repaid, a Hold token is sold.
Hi! Sorry if I dont get it, but if BorrowParams.saleToken and BorrowParams.holdToken are addresses, how bool zeroForSaleToken = params.saleToken < params.holdToken;
compares names and not addresses?
836541
high
"zeroForSaleToken" variable is incorrect calculated, fixing the sale direction of every pair
Summary
zeroForSaleToken
is a boolean value used in UniswapV3 that provides the direction of the swap. If true, it means you are selling token0 for token1. If false, it means you are selling token1 for token0. However, inLiquidityBorrowingManager.sol
, thezeroForSaleToken
direction is decided based on which token address is a higher value (bool zeroForSaleToken = params.saleToken < params.holdToken;
), which makes the direction point to an address with higher hex value, so some pair swaps will always have the same direction, making that you can just borrow token0 for token1, but never token1 for token0 in these pairs.Vulnerability Detail
In
LiquidityBorrowingManager.sol
, you input the structBorrowParams
in the methodborrow
. After that, the subcall_precalculateBorrowing
is called. The subcall snippet:The line
bool zeroForSaleToken = params.saleToken < params.holdToken;
compares params.saleToken to params.holdToken from aBorrowParams
struct. Let's see what are they in theBorrowParams
:It's visible that
saleToken
andholdToken
are both addresses. So, the direction of the swap is calculated by which address hexadecimal is higher, which it's not intended by the protocol or UniswapV3.After in
_precalculateBorrowing
, the inherited method_extractLiquidity
fromLiquidityManager.sol
is called and thezeroForSaleToken
is one of the inputs. The snippet:It's visible that the protocol uses
zeroForSaleToken
as a way to decide which is the token for sale in the first lines. However, as this boolean is not calculated correctly, some pairs have a fixed direction (tokenX -> tokenY) based on which address has a higher value, so not respecting this buggy direction can make the transaction revert (swapping the holdToken for the saleToken) or executing wrong swaps.Impact
Based on which token address of the pair is higher, some pairs will have a fixed direction of which token should be for sale and which token is not. As this is not intended, some pairs will be only possible to borrow token0 for token1 and never token1 for token0, which is a high severity denial of service that makes transactions reverts and the protocol to not work as intended.
Code Snippet
https://github.com/sherlock-audit/2023-10-real-wagmi/blob/main/wagmi-leverage/contracts/LiquidityBorrowingManager.sol#L837
Tool used
Manual Review
Recommendation
Allow user to choose the direction or correctly calculate it comparing the amount of assets in eth, not the addresses.