search

sherlock-audit / 2024-02-jala-swap-judging

6 stars 4 forks source link

Afriaudit - Lack of access control in `JalaRouter02: addliquidity` function #256

Closed sherlock-admin closed 6 months ago

sherlock-admin commented 6 months ago

Afriaudit

high

Lack of access control in JalaRouter02: addliquidity function

Summary

The Jalaswap protocol has a core functionality of wrapping tokens to 18 decimal in wrapperERC20 token due to varying decimals of different ERC20's and to avert price inaccuracies in pools

Vulnerability Detail

The implementation of the core functionality is bypassed with the JalaRouter02: addliquidity and JalaRouter02: remove liquidity function which are public with no access control

Impact

Potentials to create a grossly inefficient pool by users of protocol

Code Snippet

https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L60, https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaRouter02.sol#L110

Tool used

Manual Review

Recommendation

Add access control (require msg.sender == JalaMasterRoutercontractaddress)

nevillehuang commented 6 months ago

Invalid, users are free to use both routers to add liquidity, no issue here