Lack of access control in JalaRouter02: addliquidity function
Summary
The Jalaswap protocol has a core functionality of wrapping tokens to 18 decimal in wrapperERC20 token due to varying decimals of different ERC20's and to avert price inaccuracies in pools
Vulnerability Detail
The implementation of the core functionality is bypassed with the JalaRouter02: addliquidity and JalaRouter02: remove liquidity function which are public with no access control
Impact
Potentials to create a grossly inefficient pool by users of protocol
Afriaudit
high
Lack of access control in
JalaRouter02: addliquidity
functionSummary
The Jalaswap protocol has a core functionality of wrapping tokens to 18 decimal in wrapperERC20 token due to varying decimals of different ERC20's and to avert price inaccuracies in pools
Vulnerability Detail
The implementation of the core functionality is bypassed with the
JalaRouter02: addliquidity
andJalaRouter02: remove
liquidity function which are public with no access controlImpact
Potentials to create a grossly inefficient pool by users of protocol
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L60, https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L110
Tool used
Manual Review
Recommendation
Add access control
(require msg.sender == JalaMasterRoutercontractaddress)