smbv-1923 - `defiToStablecoinSwap()` would fail if `ss.stablecoinFeeCurrency` and `ss.origin` token are same

[sherlock-admin3]

smbv-1923

Medium

defiToStablecoinSwap() would fail if ss.stablecoinFeeCurrency and ss.origin token are same

Summary

defiToStablecoinSwap() would fail if ss.stablecoinFeeCurrency and ss.origin token are same

Root Cause

https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/StablecoinHandler.sol#L144 https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/swap/AmirX.sol#L111

Internal pre-conditions

• ss.stablecoinFeeSafe token should be same as ss.origin token

External pre-conditions

No response

Attack Path

• Let's understand using an example.
• Let's suppose user want to swap 100 AAVE to 100 eUSDC and ss.stablecoinFeeCurrency is set as ORIGIN address (i.e USDC)
• Now First _defiswap() would happen and after execution user's wallet would be getting approx 100 USDC for swapping 100 AAVE tokens.
• So now user's wallet balance is 100 USDC.
• Now stable coin swap would happen from USDC to eUSDC using _stablecoinSwap()
• Inside _stablecoinSwap(), fee gets transferred to stablecoinFeeSafe adddress lets assume 5 USDC gets transferred as feeAmount is 5.

  ERC20PermitUpgradeable(ss.stablecoinFeeCurrency).safeTransferFrom(
              wallet,
              ss.stablecoinFeeSafe,
              ss.feeAmount
          );

• So now user's wallet balance would be 95 USDC.

• After that USDC gets transferred to liquidity Safe address and amount of USDC transferred = ss.oAmount which is 100 USDC

  ERC20PermitUpgradeable(ss.origin).safeTransferFrom(
              wallet,
              ss.liquiditySafe,
  
              ss.oAmount
          );

• Now as wallet has only 95 USDC left the above call would fail due to insufficient balance in wallet.
• Due to this whole defiToStablecoinSwap() would revert.

Impact

• defiToStablecoinSwap would fail whenever ss.stablecoinFeeSafe and ss.origin in defi to stable coin swap is same

PoC

No response

Mitigation

• Make sure if ss.stablecoinFeeSafe and ss.origin are same then subtract ss.feeAmount from ss.oAmount

  ERC20PermitUpgradeable(ss.origin).safeTransferFrom(
              wallet,
              ss.liquiditySafe,
  
              ss.oAmount - ss.feeAmount
          );