Excess ETH when swapping tokens is not returned back and will be stuck forever on the JBXBuybackDelegate contract #48
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-162
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L258-L323
Vulnerability details
Impact
All the excess ETH send to make swaps on the JBXBuybackDelegate contract will be stuck forever inside the contract.
Proof of Concept
_amountToSend
calculated by the Uniswap pool will take a 100% of the sent ETH, which might not be always the case.Coded a PoC to demonstrate this issue
view
function on theJBXBuybackDelegate
contract, just to facilitate the monitoring of the ETH balance that the contract is holding, both, before and after doing a swap.JBXBuybackDelegate
contracttestDatasourceDelegateSwapIfPreferenceIsToClaimTokens()
in theDelegateUnit.t.sol
test file, basically, we need to call thebuyBackDelegateBalance()
function at the beggining and at the end of the test.JBETHPaymentTerminal::pay()
is left on theJBXBuybackDelegate
contract, the reason is because in this PoC there is no an actual payment of WETH tokens to the uni pool, but nevertheless, when the real swaps are executed, the ETH that will be left on the contract will be the difference between themsg.value
sent toJBETHPaymentTerminal::pay()
and the_amountToSend
calculated by Uniswap.Take as reference the logic on the _mint() function that succesfully returns back the received ETH back to the PaymentTerminal contract
Tools Used
Manual Audit
Recommended Mitigation Steps
_amountToSend
), and deduct it from the totalmsg.value
that was send tojbETHPaymentTerminal().pay()
JBXBuybackDelegate
contract it will be stuck forever since there is no a function to withdraw it to another address.Assessed type
Other
The text was updated successfully, but these errors were encountered: