Anyone may force the SWAPPER_ROLE to pay more gas in swaps by sending ETH or fee tokens to AmirX
Summary
AmirX::_buyBack() sends remaining native or feeToken to the safe whenever there are remaining values from the swap call. The SWAPPER_ROLE sponsors the call for the wallet spending a certain amount of gas and the wallet pays them in return.
However, the amount of gas to pay may be calculated without considering that remaining feeToken would be left in the contract as the swap call would forward everything, but someone frontruns the call and sends feeToken to AmirX, forcing dust amounts to be sent to defi.safe and spending extra gas.
Alternatively, the amount swapped is not completely predicatable and leftover feeToken amounts may unexpectedly still be in AmirX after the swap, but when the calculation of the gas to pay was made beforehand, offchain, it did not include the gas cost of sending these funds to the safe.
Root Cause
In AmirX:236/251, the fee tokens in AmirX are sent to the Safe.
Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
Transaction is crafted offchain and simulated that no leftover fee token is left in the contract, forwading a certain amount of gas which the wallet will pay smaller than it should.
Malicious user forward 1 wei of feeToken to AmirX, triggering the calls to send the leftover feeToken to safe and spending more gas.
AmirX::swap() is called, spending more gas than initially thought, taking the SWAPPER_ROLE the loss.
Impact
SWAPPER_ROLE can be drained if enough users perform the attack.
PoC
None.
Mitigation
Instead of sending the remaining balance of feeToken in the contract, send just the actual returned from the swap call.
0x73696d616f
Medium
Anyone may force the
SWAPPER_ROLEto pay more gas in swaps by sendingETHor fee tokens toAmirXSummary
AmirX::_buyBack() sends remaining native or
feeTokento thesafewhenever there are remaining values from the swap call. TheSWAPPER_ROLEsponsors the call for thewalletspending a certain amount of gas and the wallet pays them in return.However, the amount of gas to pay may be calculated without considering that remaining
feeTokenwould be left in the contract as the swap call would forward everything, but someone frontruns the call and sendsfeeTokentoAmirX, forcing dust amounts to be sent todefi.safeand spending extra gas.Alternatively, the amount swapped is not completely predicatable and leftover
feeTokenamounts may unexpectedly still be inAmirXafter the swap, but when the calculation of the gas to pay was made beforehand, offchain, it did not include the gas cost of sending these funds to the safe.Root Cause
In
AmirX:236/251, the fee tokens inAmirXare sent to the Safe.Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
walletwill pay smaller than it should.feeTokentoAmirX, triggering the calls to send the leftoverfeeTokentosafeand spending more gas.AmirX::swap()is called, spending more gas than initially thought, taking theSWAPPER_ROLEthe loss.Impact
SWAPPER_ROLEcan be drained if enough users perform the attack.PoC
None.
Mitigation
Instead of sending the remaining balance of
feeTokenin the contract, send just the actual returned from the swap call.