search

sherlock-audit / 2024-11-telcoin-judging

0 stars 0 forks source link

AestheticBhai - The contract incorrectly uses msg.value instead of the contract's accumulated POL balance when performing buyback operations, preventing the proper conversion of collected POL fees to TELCOIN #84

Open sherlock-admin2 opened 1 week ago

sherlock-admin2 commented 1 week ago

AestheticBhai

Medium

The contract incorrectly uses msg.value instead of the contract's accumulated POL balance when performing buyback operations, preventing the proper conversion of collected POL fees to TELCOIN

Summary

The AmirX.sol incorrectly processes POL (Polygon/MATIC) fees during buyback operations by using msg.value instead of the contract's actual POL balance. This prevents the contract from converting POL fees into TELCOIN as intended.

Root Cause

function _buyBack( ERC20 feeToken, address aggregator, address safe, bytes memory swapData ) internal { if (address(feeToken) == POL) { (bool polSwap, ) = aggregator.call{value: msg.value}(swapData); require(polSwap, "AmirX: POL swap transaction failed"); } } https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/swap/AmirX.sol#L224 The bug occurs because the function uses msg.value for the swap amount instead of address(this).balance, which represnts the contract's actual POL balance

Assume a user wants to swap pol = 50 User balance:50 POL // 1. User performs a swap with 10% fee(assuming 10% fee) Transaction { from: user value: 50 POL fee: 5 POL (10%) } // 2. Result after swap AmirX balance: 5 POL (fee collected) (note: the balance of the contracts pol can be anythingthis issue will still occur){5 pol is just assuming contract had 0 pol before} User receives: xyz token according to there swap // 3. Buyback attempt buyBack() { // Uses msg.value instead of contract balance (5 POL) aggregator.call{value: 0}(swapData) } // 4. Final state AmirX balance: 5 POL TELCOIN received: 0

Internal pre-conditions

The buyback function must be triggered

External pre-conditions

1)POL must be specified as the fee token

Attack Path

No response

Impact

1)POL fees accumulate in contract without conversion 2) Protocol loses opportunity to acquire TELCOIN 3) The contract accumulates POL fees over time that need to be swapped

PoC

No response

Mitigation

No response

sherlock-admin2 commented 1 week ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/telcoin/telcoin-audit/pull/59