ChiefTrader.sol
Wrong implementation of swapExactInput()
and swapExactOutput()
#108
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
WatchPug
Vulnerability details
When a caller calls
ChiefTrader.sol#swapExactInput()
, it will callITrader(traderAddress).swapExactInput()
.https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/trader/ChiefTrader.sol#L59-L59
However, in the current implementation, inputToken is not approved to the
traderAddress
.For example, in
UniV3Trader.sol#_swapExactInputSingle
, at L89, it tries to transfer inputToken frommsg.sender
(which isChiefTrader
), since it's not approved, this will revert.Plus, the inputToken should also be transferred from the caller before calling the subtrader.
https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/trader/UniV3Trader.sol#L89-L89
The same problem exits in
swapExactOutput()
:https://github.com/code-423n4/2021-12-mellow/blob/6679e2dd118b33481ee81ad013ece4ea723327b5/mellow-vaults/contracts/trader/ChiefTrader.sol#L63-L75
Recommendation
Approve the inputToken to the subtrader and transfer from the caller before calling
ITrader.swapExactInput()
andITrader.swapExactOutput()
.Or maybe just remove support of
swapExactInput()
andswapExactOutput()
inChiefTrader
.The text was updated successfully, but these errors were encountered: