A malicious user can grief and DOS a user while he is trying to remove Liquidity
Summary
A malicious user can grief and DOS a user while he is trying to remove Liquidity using removeLiquidityWithPermit() and removeLiquidityETHWithPermit()
Vulnerability Detail
-The removeLiquidityWithPermit() and removeLiquidityETHWithPermit() uses permit function to give approve to router contract for the LP tokens and removal of liquidity in the same transaction rather than approving the LP token manually from contract address.
User signs their LP tokens and provide the signature(v,r,s) to contract as part of approving token using permit.
When a user calls removeLiquidityWithPermit or removeLiquidityETHWithPermit function the malicious user see's the transaction in mempool and take the signature of user and calls the permit function himself before the user's transaction gets executed.
Since the signature provided by malicious user is correct the transaction get's successful and increases the nonce .
However when user's transaction gets executed it would fail due to increase of nonce .
Impact
Malicious user can grief and DOS user when he calls removeLiquidityWithPermit() and removeLiquidityETHWithPermit() so whenever the user does the transaction it would get fail and can't remove the liquidity at that particular transaction.
smbv-1919
medium
A malicious user can grief and DOS a user while he is trying to remove Liquidity
Summary
A malicious user can grief and DOS a user while he is trying to remove Liquidity using
removeLiquidityWithPermit()
andremoveLiquidityETHWithPermit()
Vulnerability Detail
-The
removeLiquidityWithPermit()
andremoveLiquidityETHWithPermit()
uses permit function to give approve to router contract for the LP tokens and removal of liquidity in the same transaction rather than approving the LP token manually from contract address.User signs their LP tokens and provide the signature(v,r,s) to contract as part of approving token using permit.
When a user calls
removeLiquidityWithPermit
orremoveLiquidityETHWithPermit
function the malicious user see's the transaction in mempool and take the signature of user and calls the permit function himself before the user's transaction gets executed.Since the signature provided by malicious user is correct the transaction get's successful and increases the nonce .
However when user's transaction gets executed it would fail due to increase of nonce .
Impact
Malicious user can grief and DOS user when he calls removeLiquidityWithPermit() and removeLiquidityETHWithPermit() so whenever the user does the transaction it would get fail and can't remove the liquidity at that particular transaction.
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L169 https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L150
Tool used
Manual review
Recommendation
Duplicate of #177