3 matches found
Upgraded Q -> M from 18 [1656705908645]
Judge has assessed an item in Issue 18 as Medium risk. The relevant finding follows: Controlled swapRouter The FeeBurner contract sets the swapperRouter in the addressProvider, so the owner can set any type of swapper, paths or pools, even malicious ones. Since there is no slippage defined in the...
Attacker can get drain ETH for targetLpToken_
Lines of code Vulnerability details Impact Attacker can drain all ETH from FeeBurner.sol. Technically msg.value gets sent to swapperRouter, but since this contract is out of scope FeeBurner.sol will be treated as the victim Proof of Concept FeeBurner.solL56-L65 ... for uint256 i; i tokens.length;...
unsafe call using msg.value in loop
Lines of code Vulnerability details description with the function burnToTarget in FeeBurner.sol, a malicious user can swap more funds than they input in ETH if they include multiple address0 in the addresses tokens parameter during the function call, there is a for loop that loops through tokens...