The return amount should be sent back to msg.sender instead of the recipient.
Vulnerability Detail
The to input argument in the wrapTokensAndaddLiquidity function in the JalaMasterRouter contract represents the recipient address where msg.sender wants the liquidity tokens to be minted.
At the beginning of the function, msg.sender transfers tokens to JalaMasterRouter before calling the router to add liquidity.
In the scenario where to = msg.sender, the remaining tokens are returned to msg.sender (their original source). However, in the case where to != msg.sender, the tokens are transferred to another address. This address may be one where msg.sender does not want to go or the toaddress is an EOA/smart wallet that can not send tokens back to msg.sender. In the second case, msg.sender will lose the remaining tokens.
The to address should only receive LP tokens and the remaining tokens should be returned to msg.sender.
Impact
Users will lose the receiving of remaining tokens.
gkrastenovaudit
medium
Users lose the receiving of remaining tokens
Summary
The return amount should be sent back to
msg.sender
instead of the recipient.Vulnerability Detail
The
to
input argument in thewrapTokensAndaddLiquidity
function in theJalaMasterRouter
contract represents the recipient address wheremsg.sender
wants the liquidity tokens to be minted.At the beginning of the function,
msg.sender
transfers tokens toJalaMasterRouter
before calling the router to add liquidity.At the end of the function, the remaining tokens, after providing liquidity, are unwrapped and transferred back to the recipient.
In the scenario where
to = msg.sender
, the remaining tokens are returned tomsg.sender
(their original source). However, in the case where to!= msg.sender
, the tokens are transferred to another address. This address may be one wheremsg.sender
does not want to go or theto
address is an EOA/smart wallet that can not send tokens back tomsg.sender
. In the second case,msg.sender
will lose the remaining tokens.The
to
address should only receive LP tokens and the remaining tokens should be returned tomsg.sender
.Impact
Users will lose the receiving of remaining tokens.
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L67-L68
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L98
Tool used
Manual Review
Recommendation
Send remaining tokens back to the
msg.sender
.