Code4renaCODE423N4:2022-03-LIFINANCE-FINDINGS-ISSUES-67Lack of checks between _swapData and _lifiData could lead to loss of funds and reputation risk.
Lines of code
LibSwap.swap
swapTokensGeneric
Vulnerability details
Impact
Users could input incongruent values for _lifiData and _swapData leading to a swap no being processed correctly and users not getting any of the expected _lifiData.receivingAssetId.
It can also damage reputation because LiFi could use this to scam their users through a front end by changing inputs deliberatly.
Proof of Concept
-
User calls swapTokensGeneric but accidentally inputs two different addresses for _lifiData.receivingAssetId(DAI) and _swapData.receivingAssetId(ADA).
function swapTokensGeneric(LiFiData memory _lifiData, LibSwap.SwapData[] calldata _swapData)
-
LibSwap.swap uses _swapData.receivingAssetId(ADA) to make the swap, however GenericSwapFacet.swapTokensGeneric.postSwapBalance uses _lifiData.receivingAssetId(DAI) to calculate the amount to be transferred based on its balance before the swap.
uint256 toAmount = LibAsset.getOwnBalance(_swapData.receivingAssetId);
vs
uint256 postSwapBalance = LibAsset.getOwnBalance(_lifiData.receivingAssetId) - receivingAssetIdBalance;
-
The balance of DAI has not changed on LiFi, so the user will not get any, however the swap for ADA was successful and was sent to LiFis contract instead.
LibAsset.transferAsset(_lifiData.receivingAssetId, payable(msg.sender), postSwapBalance);
Tools Used
Recommended Mitigation Steps
Implement a check to make sure _lifiData and _swapData values are the same.
The text was updated successfully, but these errors were encountered:
All reactions