search

sherlock-audit / 2024-02-jala-swap-judging

6 stars 4 forks source link

recursiveEth - Inconsistent Parameter Passing in Token Swapping Functions #253

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

recursiveEth

high

Inconsistent Parameter Passing in Token Swapping Functions

Summary

The vulnerability involves passing incorrect values to the swapExactTokensForETH function, which could lead to unexpected behavior or errors during token swapping. However, the swapExactTokensForTokens function is correctly implemented.

Vulnerability Detail

In the swapExactTokensForETH function, the amountIn parameter is incorrectly passed as the amount of tokens to swap, instead of the balance of the wrapped token held by the contract. This can lead to incorrect token swapping behavior, potentially resulting in loss of funds or failed transactions.

Impact

The impact of passing incorrect values to the swapExactTokensForETH function is potential loss of funds or failed transactions due to incorrect token swapping behavior. Users relying on this function may experience unexpected outcomes when attempting to swap tokens for ETH.

Code Snippet

https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L300

   function swapExactTokensForETH(
        address originTokenAddress,
        uint256 amountIn,
        uint256 amountOutMin,
        address[] calldata path,
        address to,
        uint256 deadline
    ) external virtual override returns (uint256[] memory amounts) {
        address wrappedTokenIn = IChilizWrapperFactory(wrapperFactory).wrappedTokenFor(originTokenAddress);

        require(path[0] == wrappedTokenIn, "MS: !path");

        TransferHelper.safeTransferFrom(originTokenAddress, msg.sender, address(this), amountIn);
        _approveAndWrap(originTokenAddress, amountIn);
        IERC20(wrappedTokenIn).approve(router, IERC20(wrappedTokenIn).balanceOf(address(this)));

        amounts = IJalaRouter02(router).swapExactTokensForETH(amountIn, amountOutMin, path, to, deadline);
    }

Tool used

Manual Review

Recommendation

To address the vulnerability, ensure that the correct value (the balance of the wrapped token held by the contract) is passed to the swapExactTokensForETH function. This can be achieved by replacing amountIn with IERC20(wrappedTokenIn).balanceOf(address(this)) as the first parameter in the function call

   function swapExactTokensForETH(
        address originTokenAddress,
        uint256 amountIn,
        uint256 amountOutMin,
        address[] calldata path,
        address to,
        uint256 deadline
    ) external virtual override returns (uint256[] memory amounts) {
        address wrappedTokenIn = IChilizWrapperFactory(wrapperFactory).wrappedTokenFor(originTokenAddress);

        require(path[0] == wrappedTokenIn, "MS: !path");

        TransferHelper.safeTransferFrom(originTokenAddress, msg.sender, address(this), amountIn);
        _approveAndWrap(originTokenAddress, amountIn);
        IERC20(wrappedTokenIn).approve(router, IERC20(wrappedTokenIn).balanceOf(address(this)));

        amounts = IJalaRouter02(router).swapExactTokensForETH(  IERC20(wrappedTokenIn).balanceOf(address(this)), amountOutMin, path, to, deadline);
    }

Duplicate of #146