search

sherlock-audit / 2024-02-jala-swap-judging

6 stars 4 forks source link

recursiveEth - Missing Implementation of Permit Function in Contract #247

Closed sherlock-admin2 closed 6 months ago

sherlock-admin2 commented 6 months ago

recursiveEth

medium

Missing Implementation of Permit Function in Contract

Summary

The contract is calling the permit function from the IJalaPair interface, but the actual implementation of the permit function is missing in the contract. This could lead to runtime errors when the function is called, as the contract does not contain the necessary code to handle the permit functionality.

Vulnerability Detail

The contract calls the permit function from the IJalaPair interface, assuming that it is implemented somewhere in the codebase. However, the actual implementation of the permit function is missing in the contract. This could lead to runtime errors or unexpected behavior when the permit function is called, as the contract does not contain the necessary logic to execute the permit functionality.

Impact

it could lead to runtime errors or unexpected behavior in the contract execution. This could potentially disrupt the intended functionality of the contract and lead to issues such as failed transactions or loss of funds.

Code Snippet

https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L165

 function removeLiquidityWithPermit(
        address tokenA,
        address tokenB,
        uint256 liquidity,
        uint256 amountAMin,
        uint256 amountBMin,
        address to,
        uint256 deadline,
        bool approveMax,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external virtual override returns (uint256 amountA, uint256 amountB) {
        address pair = JalaLibrary.pairFor(factory, tokenA, tokenB);
        uint256 value = approveMax ? type(uint).max : liquidity;
        // check and remove
        IJalaPair(pair).permit(msg.sender, address(this), value, deadline, v, r, s);
        (amountA, amountB) = removeLiquidity(tokenA, tokenB, liquidity, amountAMin, amountBMin, to, deadline);
    }

    function removeLiquidityETHWithPermit(
        address token,
        uint256 liquidity,
        uint256 amountTokenMin,
        uint256 amountETHMin,
        address to,
        uint256 deadline,
        bool approveMax,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external virtual override returns (uint256 amountToken, uint256 amountETH) {
        address pair = JalaLibrary.pairFor(factory, token, WETH);
        uint256 value = approveMax ? type(uint).max : liquidity;
        //@audit-issue there is no permit function implemenation present inside contract
        IJalaPair(pair).permit(msg.sender, address(this), value, deadline, v, r, s);
        (amountToken, amountETH) = removeLiquidityETH(token, liquidity, amountTokenMin, amountETHMin, to, deadline);
    }

Tool used

Manual Review

Recommendation

implement the permit() logic in jalaPairERC20 contract

Duplicate of #40