Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-03-LIFINANCE-FINDINGS-ISSUES-205
HistoryMar 30, 2022 - 12:00 a.m.

Any user can recover the funds left in the contract

2022-03-3000:00:00
Code4rena
github.com
4
JSON

Lines of code

Vulnerability details

Impact

There is a WithdrawFacet such that only the owner/admin can recover the lost funds in the contract. However, any user can retrieve the funds by using the swapTokensGeneric function, which might be unexpected behavior.

Proof of Concept

  1. Suppose that 1000 USDC is left in the contract. Now, some random user wants to withdraw it.
  2. They call the swapTokensGeneric function with corresponding parameters to swap 1000 USDC to DAI via the Uniswap V2 router.
  3. The swapTokensGeneric function calls _executeSwaps, which calls LibSwap.swap. In this function, the contract checks whether LibAsset.getOwnBalance(fromAssetId) < fromAmount or not. If it has enough balance, it does not call LibAsset.transferFromERC20 to request the tokens from the caller.
  4. Therefore, the user doesn’t have to send more USDC to the contract because the funds are enough. As a result, they get the swapped DAI without providing more USDC.

GenericSwapFacet.sol#L22-L44
Swapper.sol#L12-L23
LibSwap.sol#L33-L35

Recommended Mitigation Steps

If recovering funds by anyone is not the desired behavior, consider always transferring the funds from users before the first swap.

The text was updated successfully, but these errors were encountered:

All reactions

JSON