The swapBatch function in the contract allows users to swap multiple NFTs at once. However, there is a missing validation check within the function, allowing the bypass of the same-token swapping restriction that exists in the single swap function. This creates an unintended discrepancy in behavior between the two functions and introduces a potential vulnerability where a user could perform an unnecessary or unintended swap by exchanging the same token.
Vulnerability Detail
In the swap function, a check is implemented to ensure that a user cannot swap a token for itself:
if (_tokenIdIn == _tokenIdOut) revert CannotSwapSameToken();
However, in the swapBatch function, there was an ommision of this check;
This omission allows users to swap the same token with itself, which not only contradicts the logic of the single token swap function but could also result in confusion or unintended behavior. For example, a user could initiate a batch swap where some token pairs involve identical tokens, which serves no purpose and could result in unnecessary gas costs or unexpected state changes.
Impact
Bypassing the swap validation logic: Users can swap the same token, which contradicts the contract’s intended behavior as defined in the swap function.
function swapBatch(
address _collection,
uint[] calldata _tokenIdsIn,
uint[] calldata _tokenIdsOut
) public nonReentrant whenNotPaused collectionExists(_collection) {
uint tokenIdsInLength = _tokenIdsIn.length;
if (tokenIdsInLength != _tokenIdsOut.length)
revert TokenIdsLengthMismatch();
// Cache our collection
IERC721 collection = IERC721(_collection);
for (uint i; i < tokenIdsInLength; ++i) {
//>>@audit Ensure that the token in and out are not the same
// if (_tokenIdsIn[i] == _tokenIdsOut[i])
// revert CannotSwapSameToken();
// Ensure that the token requested is not a listing
if (isListing(_collection, _tokenIdsOut[i]))
revert TokenIsListing(_tokenIdsOut[i]);
// Transfer the users token into the contract
collection.transferFrom(msg.sender, address(this), _tokenIdsIn[i]);
// Transfer the collection token from the caller.
collection.transferFrom(address(this), msg.sender, _tokenIdsOut[i]);
}
emit TokenSwapBatch(_collection, _tokenIdsIn, _tokenIdsOut, msg.sender);
}
Tool used
Manual Review
Recommendation
Ensure this check is properly implemented in the sawpBatch function
if (_tokenIdsIn[i] == _tokenIdsOut[i])
revert CannotSwapSameToken();
Raspy Azure Dragonfly
Low/Info
Swap bypass check
Summary
The
swapBatchfunction in the contract allows users to swap multiple NFTs at once. However, there is a missing validation check within the function, allowing the bypass of the same-token swapping restriction that exists in the singleswapfunction. This creates an unintended discrepancy in behavior between the two functions and introduces a potential vulnerability where a user could perform an unnecessary or unintended swap by exchanging the same token.Vulnerability Detail
In the
swapfunction, a check is implemented to ensure that a user cannot swap a token for itself:However, in the swapBatch function, there was an ommision of this check; This omission allows users to swap the same token with itself, which not only contradicts the logic of the single token
swapfunction but could also result in confusion or unintended behavior. For example, a user could initiate a batch swap where some token pairs involve identical tokens, which serves no purpose and could result in unnecessary gas costs or unexpected state changes.Impact
Bypassing the swap validation logic: Users can swap the same token, which contradicts the contract’s intended behavior as defined in the
swapfunction.Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/0ec252cf9ef0f3470191dcf8318f6835f5ef688c/flayer/src/contracts/Locker.sol#L268
Tool used
Manual Review
Recommendation
Ensure this check is properly implemented in the
sawpBatchfunction