Closed sherlock-admin closed 6 months ago
Invalid, external admins are trusted not to be malicious. However, there seem to be some conflicting information
Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?
Trusted
This admins can indeed DoS certain core functions though and the read.me does say the following:
In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.
Please submit any issue that could potentially compromise the JalaSwap protocol.
Since there is no rule catering to the conflicting information, I will have to put external admin trust assumptions with more significance see point 5. here.
- External Admin trust assumptions:
- When external-admin=trusted, issues related to these external admins being able to rug protocol users is not a valid issue. (Example: Aave governance has the intention of rugging Index Protocol))
jasonxiale
medium
issues related to Fan token paused.
Summary
In such case, there might some issues.
Vulnerability Detail
ChilizWrapperFactory.unwrap
will call ChilizWrappedERC20.withdrawTo in ChilizWrapperFactory.sol#L26. And inChilizWrappedERC20.withdrawTo
the function will revert in ChilizWrappedERC20.sol#L52 But for a technical user, he can find the wrapped token pair address, and callsrouter.removeLiquidity
with the wrapped token as parameter. In such case, after he receives the wrapped token, he can swap the transfer the wraped token to other unpaused token.Impact
By current design, non-technical user suffer more risk.
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/030d3ed54214754301154bce0e58ea534100a7e3/jalaswap-dex-contract/contracts/utils/ChilizWrappedERC20.sol#L33-L60
Tool used
Manual Review
Recommendation