EthRouter.change(): msg.value not decremented in loop, cannot process change() call which contains more than one element in the Change[] array #103
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-873
high quality report
This report is of especially high quality
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/EthRouter.sol#L273
Vulnerability details
Note that EthRouter.change() can take an array of changes: Change[].
The comment above the function also notes that this function should be able to accept multiple changes.
However, msg.value remains constant throughout each iteration of the loop, which means after the first loop (first change) is done executing, the second loop/change is left with no more msg.value to send.
The offending line of code:
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/EthRouter.sol#L273
After the first loop, even if the excess is refunded through PrivatePool.sol#L436 the second call will fail because it no longer has the original msg.value balance causing an Out of Funds Revert.
POC
For this test I split the original test to 2 separate changes in the Change[] array. I have avoided minting extra tokens to ensure the weights and Merkle Proof remain the same.
Test file:
/test/EthRouter/Change.t.sol
Run test:
forge test --ffi -m test_CallsChangeWithData_2ElementsInChangeArray -vvvv
Note how the following test fails to execute with an OutOfFund exception.
Note that both calls to change() send a value of 25000000000000000000, however, the second call no longer has that amount of Eth to send due to the fee from executing the first change() call.
Remediation
msg.value/fees should be tracked and decremented for each iteration of the loop so proper fees are passed upon each call to PrivatePool.change().
The text was updated successfully, but these errors were encountered: