Hacker can steal stuck wrapped Tokens in MasterRouter
Summary
MasterRouter sends out all the available wrapped Token balance to the caller of some functions in some cases.
This enables a hacker to steal stuck tokens.
Vulnerability Detail
MasterRouter calls unwrapAndTransfer at the end of some functions, which is not taking an amount as input, but always unwraps and transfers the whole balance to the caller.
This is assumed to be fine, as MasterRouter is not supposed to hold tokens. Because of a separate vulnerability in the swapExactTokensForEth function, where the wrong input amount is used, it is likely that tokens are stuck inside the MasterRouter contract.
These tokens can be extracted by a hacker that calls as example wrapTokenAndaddLiquidity with a small amount, because at the end unwrapAndTransfer is called and transferring all the tokens inside the Router contract to the hacker.
Impact
Hacker can steal stuck Tokens in MasterRouter contract
C1rdan
high
Hacker can steal stuck wrapped Tokens in MasterRouter
Summary
MasterRouter sends out all the available wrapped Token balance to the caller of some functions in some cases. This enables a hacker to steal stuck tokens.
Vulnerability Detail
MasterRouter calls unwrapAndTransfer at the end of some functions, which is not taking an amount as input, but always unwraps and transfers the whole balance to the caller.
This is assumed to be fine, as MasterRouter is not supposed to hold tokens. Because of a separate vulnerability in the swapExactTokensForEth function, where the wrong input amount is used, it is likely that tokens are stuck inside the MasterRouter contract. These tokens can be extracted by a hacker that calls as example wrapTokenAndaddLiquidity with a small amount, because at the end unwrapAndTransfer is called and transferring all the tokens inside the Router contract to the hacker.
Impact
Hacker can steal stuck Tokens in MasterRouter contract
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L67-L68
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L308
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L300
Tool used
Manual Review Github
Recommendation
Dont use contract balance as amount to be send to the caller in unwrapAndTransfer
Duplicate of #146