The vulnerability lies in the functions JalaRouter02::removeLiquidityWithPermit() and JalaRouter02::removeLiquidityETHWithPermit() of the smart contract. These functions utilize the permit() function, which is not implemented, leading to a failure when called. This prevents users from removing liquidity with a signature as intended by the protocol.
Vulnerability Detail
The JalaRouter02::removeLiquidityWithPermit() and JalaRouter02::removeLiquidityETHWithPermit() functions use the function permit(). Here, there is no implementation of the permit() function which means the function fails when called.
PoC
Add the following to the `JalaRouter02.t.sol` testsuite
```javascript
function test_RemoveLiquidityWithPermit() public {
uint8 v = 27;
bytes32 r = "0x123456";
bytes32 s = "0x123456";
tokenA.approve(address(router), 1 ether);
tokenB.approve(address(router), 1 ether);
router.addLiquidity(
address(tokenA),
address(tokenB),
1 ether,
1 ether,
1 ether,
1 ether,
address(this),
block.timestamp
);
address pairAddress = factory.getPair(address(tokenA), address(tokenB));
JalaPair pair = JalaPair(pairAddress);
uint256 liquidity = pair.balanceOf(address(this));
pair.approve(address(router), liquidity);
router.removeLiquidityWithPermit(
address(tokenA),
address(tokenB),
liquidity,
1 ether,
1 ether,
address(this),
block.timestamp,
true,
v,
r,
s
);
}
```
This test will fail as there is no implementation of the `permit()` function
![removeLiquiditywithPermit](https://github.com/Tarunrao0/Ethernaut/assets/122633325/5ddf88de-18cd-4159-9b0d-f6c37ba520e1)
Impact
Users cannot remove liquidity with a signature as intended by the protocol
Aizen
medium
Remove Liquitidity with permit fails
Summary
The vulnerability lies in the functions
JalaRouter02::removeLiquidityWithPermit()
andJalaRouter02::removeLiquidityETHWithPermit()
of the smart contract. These functions utilize thepermit()
function, which is not implemented, leading to a failure when called. This prevents users from removing liquidity with a signature as intended by the protocol.Vulnerability Detail
The
JalaRouter02::removeLiquidityWithPermit()
andJalaRouter02::removeLiquidityETHWithPermit()
functions use the functionpermit()
. Here, there is no implementation of thepermit()
function which means the function fails when called.PoC
Add the following to the `JalaRouter02.t.sol` testsuite ```javascript function test_RemoveLiquidityWithPermit() public { uint8 v = 27; bytes32 r = "0x123456"; bytes32 s = "0x123456"; tokenA.approve(address(router), 1 ether); tokenB.approve(address(router), 1 ether); router.addLiquidity( address(tokenA), address(tokenB), 1 ether, 1 ether, 1 ether, 1 ether, address(this), block.timestamp ); address pairAddress = factory.getPair(address(tokenA), address(tokenB)); JalaPair pair = JalaPair(pairAddress); uint256 liquidity = pair.balanceOf(address(this)); pair.approve(address(router), liquidity); router.removeLiquidityWithPermit( address(tokenA), address(tokenB), liquidity, 1 ether, 1 ether, address(this), block.timestamp, true, v, r, s ); } ``` This test will fail as there is no implementation of the `permit()` function ![removeLiquiditywithPermit](https://github.com/Tarunrao0/Ethernaut/assets/122633325/5ddf88de-18cd-4159-9b0d-f6c37ba520e1)Impact
Users cannot remove liquidity with a signature as intended by the protocol
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L165
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L183
Tool used
Manual Review
Recommendation
Add an implementation for the function
permit()
or the ERC20Permit contract can be used to add the same functionality. OpenZeppelin's ERC20Permit.sol : https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Permit.solDuplicate of #40