You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 26, 2023. It is now read-only.
In ExchangeProxy.executeSwapDirect(...) function, user can pass in arbitrary _data. It's not validated to make sure this swap used exactly _amount tokenIn. In addition, fee of previous swaps is kept in ExchangeProxy. So attacker can steal these fee to do the swap.
Impact
Anyone can steal fee in ExchangeProxy
Code Snippet
Input token is transferred to ExchangeProxy contract before calling this function.
// ensure no state passed, no reentrancy, etc.
(boolsuccess, ) = executorAddress.call{value: ethValue}(callData); // @audit can take fee of this contract to swaprequire(success, "SWAP_CALL_FAILED");
Allowance to spender will be maxInt
// allow spender to transfer tokens from this contractif (_tokenFrom != ETH_TOKEN_ADDRESS && spenderAddress !=address(0)) {
require(trustedRegistryContract.isWhitelisted(spenderAddress), "allowance to non-trusted");
resetAllowanceIfNeeded(IERC20(_tokenFrom), spenderAddress, _amount);
}
Tool used
Manual Review
Recommendation
Consider transferring fee immediately after the swap. This contract is not supposed to hold any funds.
I think that it's a low vulnerability (user funds are not affected by this and fees are harvested from time to time anyway in the normal flow of operation).
But, regardless -- this issue has a valid point.
minhquanym
high
Anyone can steal fee in ExchangeProxy to do the swap
Summary
https://github.com/sherlock-audit/2022-10-mover/blob/main/cardtopup_contract/contracts/ExchangeProxy.sol#L173-L175
Vulnerability Detail
In
ExchangeProxy.executeSwapDirect(...)
function, user can pass in arbitrary_data
. It's not validated to make sure this swap used exactly_amount
tokenIn. In addition, fee of previous swaps is kept in ExchangeProxy. So attacker can steal these fee to do the swap.Impact
Anyone can steal fee in ExchangeProxy
Code Snippet
Input token is transferred to ExchangeProxy contract before calling this function.
Allowance to spender will be maxInt
Tool used
Manual Review
Recommendation
Consider transferring fee immediately after the swap. This contract is not supposed to hold any funds.
Duplicate of #112
The text was updated successfully, but these errors were encountered: