Incorrect Swap Executions Due to Misalignment between amounts and path
Summary
The _swap function is designed to facilitate token swaps through a series of liquidity pools represented by token pairs along a specified path. It calculates the output amount for each swap in the path and executes these swaps sequentially. However, a critical assumption underlying this function's correct operation is the alignment between the amounts array and the path array. Specifically, for a path of N tokens, there should be N-1 swaps, and thus, the amounts array should contain N elements (the input amount for the first swap and the output amounts for all subsequent swaps).
Vulnerability Detail
The function assumes that the length of the amounts array is directly related to the length of the path array, with the former being exactly one element longer than the number of swaps to perform (since the last token's amount represents the amount received at the end of the swap chain). This assumption is not explicitly validated within the function.
Impact
If amounts.length is less than path.length - 1, the function will attempt to access an index of amounts that does not exist, leading to a runtime error and reverting the transaction.
If amounts.length is greater than path.length, some amounts will not be used, potentially indicating a logic error or a misinterpretation of how the function should be called. Conversely, if amounts.length is less than path.length, it could result in attempting swaps without valid output amounts, leading to incorrect behavior or transaction failure.
cheatcode
medium
Incorrect Swap Executions Due to Misalignment between
amounts
andpath
Summary
The
_swap
function is designed to facilitate token swaps through a series of liquidity pools represented by token pairs along a specified path. It calculates the output amount for each swap in the path and executes these swaps sequentially. However, a critical assumption underlying this function's correct operation is the alignment between theamounts
array and thepath
array. Specifically, for a path of N tokens, there should be N-1 swaps, and thus, theamounts
array should contain N elements (the input amount for the first swap and the output amounts for all subsequent swaps).Vulnerability Detail
The function assumes that the length of the
amounts
array is directly related to the length of thepath
array, with the former being exactly one element longer than the number of swaps to perform (since the last token's amount represents the amount received at the end of the swap chain). This assumption is not explicitly validated within the function.Impact
If
amounts.length
is less thanpath.length - 1
, the function will attempt to access an index ofamounts
that does not exist, leading to a runtime error and reverting the transaction.If
amounts.length
is greater thanpath.length
, some amounts will not be used, potentially indicating a logic error or a misinterpretation of how the function should be called. Conversely, ifamounts.length
is less thanpath.length
, it could result in attempting swaps without valid output amounts, leading to incorrect behavior or transaction failure.Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L229
Tool used
Manual Review
Recommendation
Add a validation step at the beginning of the function to ensure that
amounts.length == path.length
.