Flash swap call back prior to transferring tokens in indexPool #26
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Warden finding
duplicate
Another warden found this issue
Handle
broccoli
Vulnerability details
Flash swap call back prior to transferring tokens in indexPool
Impact
In the IndexPool contract, flashSwap does not work.
The callback function is called prior to token transfer. The sender won't receive tokens in the callBack function.
ITridentCallee(msg.sender).tridentSwapCallback(context);
Flashswap is not implemented correctly. It may need a migration to redeploy all indexPools if the issue is found after main-net launch.
I consider this a high-risk issue.
Proof of Concept
IndexPool.sol#L196-L223
Tools Used
None
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: