0xNirix - POL Buyback Implementation Flaw in AmirX Contract

[sherlock-admin2]

0xNirix

Medium

POL Buyback Implementation Flaw in AmirX Contract

Summary

Incorrect POL balance handling will cause operational failures in the TELCOIN buyback and referral system for protocol users as the contract incorrectly processes POL fees, preventing proper TELCOIN conversion and referral payments

Root Cause

In AmirX.sol:_buyBack() at https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/swap/AmirX.sol#L232 the POL swap incorrectly uses msg.value instead of the contract's actual POL balance: (bool polSwap, ) = aggregator.call{value: msg.value}(swapData);

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

• Transaction occurs with POL as fee token
• Contract receives POL fee but ignores this amount
• Contract attempts buyback using msg.value which may be 0
• No TELCOIN is bought back despite POL fee being paid.
• Impacts protocol fee and referral processing

Impact

The protocol fails to convert POL fees to TELCOIN when msg.value is 0 or insufficient, even though POL fees are being paid by transferring to contract as desired.

PoC

No response

Mitigation

No response

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/telcoin/telcoin-audit/pull/59