Wrapped Tokens can be stuck / Wrong amount used in MasterRouter
Summary
MasterRouter uses the wrong amount, originToken instead of wrappedToken, which leads to less traded tokens and wrapped Tokens stuck in the router.
Vulnerability Detail
MasterRouter is responsible for wrapping/unwrapping of tokens and using the Uniswap Router to execute swaps. It is crucial to take care that the correct amount values are used, as the wrapped tokens are always having 18 decimals and the origin Token usually less.
The vulnerability stems from the swapExactTokensforEth function, which takes the originToken and the originToken amount (amountIn) as user input. It then transfers this amount to itself and wraps it using the wrapperFactory.
Next, the swap function from the JalaRouter02 is called. The token to be swapped here is the wrapped token, but the amount passed is the amountIn variable which is the amount of the originToken (less decimals).
This results in less tokens to be actually traded and the rest of the transferred and wrapped tokens to remain inside the MasterRouter contract.
Impact
User receives less CHY (ETH) for their tokens and Wrapped Tokens are stuck in MasterRouter contract
C1rdan
medium
Wrapped Tokens can be stuck / Wrong amount used in MasterRouter
Summary
MasterRouter uses the wrong amount, originToken instead of wrappedToken, which leads to less traded tokens and wrapped Tokens stuck in the router.
Vulnerability Detail
MasterRouter is responsible for wrapping/unwrapping of tokens and using the Uniswap Router to execute swaps. It is crucial to take care that the correct amount values are used, as the wrapped tokens are always having 18 decimals and the origin Token usually less.
The vulnerability stems from the swapExactTokensforEth function, which takes the originToken and the originToken amount (amountIn) as user input. It then transfers this amount to itself and wraps it using the wrapperFactory. Next, the swap function from the JalaRouter02 is called. The token to be swapped here is the wrapped token, but the amount passed is the amountIn variable which is the amount of the originToken (less decimals).
This results in less tokens to be actually traded and the rest of the transferred and wrapped tokens to remain inside the MasterRouter contract.
Impact
User receives less CHY (ETH) for their tokens and Wrapped Tokens are stuck in MasterRouter contract
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L300
Tool used
Manual Review
Recommendation
use Wrapped Token amount instead of amountIn
Duplicate of #146