ETH CAN GET LOCKED IN THE CONTRACT DURING THE EXECUTION OF _swap()
FUNCTION
#228
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-162
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L266
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L225-L232
Vulnerability details
Impact
In the
JBXBuybackDelegate
delegate contract, if theswap
option is selected after comparing thequote
, theJBXBuybackDelegate._swap()
function will swap the_data.amount.value
amount ofETH
in the followingpool.swap()
call.Once this call is made the
Uniswap V3 Pool
will call theJBXBuybackDelegate.uniswapV3SwapCallback()
call back function.uniswapV3SwapCallback()
function will convert the actual_amountToSend
amount ofETH
toWETH
and thentransfer
that amount to the Uniswap V3 Pool.The
_amountToSend
is calculated using the Uniswap V3 Poolexchange rate
of the pool at the time of the execution of the transaction. Hence even though the full amount of_data.amount.value
was expected to be swapped intoproject tokens
, only_amountToSend
amount ofWETH
will be swapped.Based on the value of
_amountToSend
, the following scenarios can occur.The transaction will revert since there is not enough ETH in the contract to be converted into WETH and transferred into the Uniswap V3 Pool.
The
_data.amount.value - _amountToSend
will get stucked in the contract. There is no withdrawal mechanism in the contract to withdraw this locked amount ofEth
. Even though for a single transaction this value will be very low, once the protocol starts functioning and multiple swap transactions are executed, these smaller values can addup and result in a considerable amount of ETH locked in the contract.This could further allow an attacker to swap
_data.amount.value
amount by sending in comparatively lesser amount ofETH
since theremainder
will be fulfilled by thelocked ETH
, given there is sufficient amount of ETH locked due to previous swap transactions.Proof of Concept
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L266
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L225-L232
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
It is recommended to implement a
withdrawal
function in theJBXBuybackDelegate
contract to release the_data.amount.value - _amountToSend
amount of ETH locked, perswap
transaction. This locked amount can increase as more swap transactions are executed in the contract.This recommended
withdrawal
function should only be called by theadmin
of the protocol. And the admin should be able totransfer
this locked amount of ETH in to the protocol reserve.Assessed type
ETH-Transfer
The text was updated successfully, but these errors were encountered: