Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flash swap call back prior to transferring tokens in indexPool #26

Open
code423n4 opened this issue Sep 29, 2021 · 2 comments
Open

Flash swap call back prior to transferring tokens in indexPool #26

code423n4 opened this issue Sep 29, 2021 · 2 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Warden finding duplicate Another warden found this issue

Comments

@code423n4
Copy link
Contributor

Handle

broccoli

Vulnerability details

Flash swap call back prior to transferring tokens in indexPool

Impact

In the IndexPool contract, flashSwap does not work.
The callback function is called prior to token transfer. The sender won't receive tokens in the callBack function.
ITridentCallee(msg.sender).tridentSwapCallback(context);

Flashswap is not implemented correctly. It may need a migration to redeploy all indexPools if the issue is found after main-net launch.
I consider this a high-risk issue.

Proof of Concept

IndexPool.sol#L196-L223

        ITridentCallee(msg.sender).tridentSwapCallback(context);
        // @dev Check Trident router has sent `amountIn` for skim into pool.
        unchecked { // @dev This is safe from under/overflow - only logged amounts handled.
            require(_balance(tokenIn) >= amountIn + inRecord.reserve, "NOT_RECEIVED");
            inRecord.reserve += uint120(amountIn);
            outRecord.reserve -= uint120(amountOut);
        }
        _transfer(tokenOut, amountOut, recipient, unwrapBento);

Tools Used

None

Recommended Mitigation Steps

        _transfer(tokenOut, amountOut, recipient, unwrapBento);
        ITridentCallee(msg.sender).tridentSwapCallback(context);
        // @dev Check Trident router has sent `amountIn` for skim into pool.
        unchecked { // @dev This is safe from under/overflow - only logged amounts handled.
            require(_balance(tokenIn) >= amountIn + inRecord.reserve, "NOT_RECEIVED");
            inRecord.reserve += uint120(amountIn);
            outRecord.reserve -= uint120(amountOut);
        }
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Warden finding labels Sep 29, 2021
code423n4 added a commit that referenced this issue Sep 29, 2021
@code423n4
broccoli issue #26
61c0937
@maxsam4 maxsam4 added the duplicate Another warden found this issue label Oct 21, 2021
@maxsam4 maxsam4 closed this as completed Oct 21, 2021
@ninek9 ninek9 reopened this Oct 22, 2021
@ninek9 ninek9 closed this as completed Oct 22, 2021
@alcueca
Copy link
Collaborator

alcueca commented Oct 27, 2021

I can't find a duplicate, @maxsam4?

@alcueca alcueca reopened this Oct 27, 2021
@maxsam4
Copy link
Collaborator

maxsam4 commented Oct 27, 2021

Duplicate of
#157
and
#80

This was referenced Oct 27, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Warden finding duplicate Another warden found this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ninek9 @maxsam4 @alcueca @code423n4