sherlock-admin3
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
infect3d commented:
only supposition and no detailed exploit
Closed sherlock-admin2 closed 2 months ago
sherlock-admin3
commented
2 months ago 1 comment(s) were left on this issue during the judging contest.
infect3d commented:
only supposition and no detailed exploit
nevillehuang
commented
2 months ago Invalid, lacks required PoC for reentrancy issues/non-obvious issues per sherlock rules
jovi
high
TpdaLiquidationPair does not enforce the TpdaLiquidationRouter contract is the only possible caller for the swapExactAmountOut function
Summary
The swapExactAmountOut function at the TpdaLiquidationPair contract swaps the given amount of output tokens for at most input tokens and was made to be utilized in the context of TpdaLiquidationRouter calls - it lacks any sort of access control to it, though.
Vulnerability Detail
The lack of access control is potentially dangerous as malicious parties can implement contracts that have different implementations to the callbacks done at the TpdaLiquidationPair contract's logic. The most important one is reentrancy, as the caller can remove the amountOut argument multiple times without having to pay for update auction prices.
Impact
Users can reenter the swapExactAmountOut function to get better auction prices. Malicious parties can execute arbitrary logic at the callbacks.
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-tpda-liquidator/src/TpdaLiquidationPair.sol#L122
Tool used
Manual Review
Recommendation
Make sure to only allow the TdpaLiquidationRouter to call swapExactAmountOut at the TpdaLiquidationPair contract. Ensure the caller is the TdpaLiquidationRouter router otherwise revert.