Nyxaris - Missing Validation of External XYZ Tokens in convertFromEXYZ Function

[sherlock-admin4]

Nyxaris

high

Missing Validation of External XYZ Tokens in convertFromEXYZ Function

Summary

The convertFromEXYZ function does not use the isXYZ check to validate the token before performing operations.

Vulnerability Detail

The isXYZ function is intended to validate whether a token is recognized as a valid external XYZ token. However, in the convertFromEXYZ function, there is no call to isXYZ to ensure that the origin or target tokens are indeed valid external XYZ tokens before proceeding with the conversion.

Impact

The absence of this validation could allow unauthorized or unintended tokens to be used in the conversion process, potentially leading to incorrect accounting, loss of funds, or exploitation of the contract's logic.

Code Snippet

code

function convertFromEXYZ(
        address wallet,
        address safe,
        StablecoinSwap memory ss
    ) public virtual whenNotPaused nonZero(ss) onlyRole(SWAPPER_ROLE) {
        if (
            Stablecoin(ss.origin).totalSupply() - ss.oAmount <
            getMinLimit(ss.origin)
        ) revert InvalidMintBurnBoundry(ss.origin);

        Stablecoin(ss.origin).burnFrom(wallet, ss.oAmount);
        ERC20PermitUpgradeable(ss.target).safeTransferFrom(
            safe,
            ss.destination,
            ss.tAmount
        );
    }

Tool used

Manual Review

Recommendation

Implement a check using the isXYZ function to validate the origin and target tokens before executing the conversion logic in the convertFromEXYZ function. This ensures that only approved external XYZ tokens are used in the conversion process.

[sherlock-admin4]

2 comment(s) were left on this issue during the judging contest.

WangAudit commented:

swapper role is trusted and controlled by telcoin team

takarez commented:

invalid