yotov721 - User wrapped tokens get stuck in master router because of incorrect calculation #146
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
yotov721
high
User wrapped tokens get stuck in master router because of incorrect calculation
Summary
Swapping exact tokens for ETH swaps underlying token amount, not wrapped token amount and this causes wrapped tokens to get stuck in the contract.
Vulnerability Detail
In the protocol the
JalaMasterRouter
is used to swap tokens with less than 18 decimals. It is achieved by wrapping the underlying tokens and interacting with theJalaRouter02
. Wrapping the token gives it decimals 18 (18 - token.decimals()). There are also functions that swap with native ETH.In the
swapExactTokensForETH
function the tokens are transferred from the user to the Jala master router, wrapped, approved toJalaRouter2
and thenIJalaRouter02::swapExactTokensForETH()
is called with the amount of tokens to swap, to address, deadline and path.The amount of tokens to swap that is passed, is the amount before the wrap. Hence the wrappedAmount - underlyingAmount is stuck.
Add the following test to
JalaMasterRouter.t.sol
and run withforge test --mt testswapExactTokensForETHStuckTokens -vvv
Impact
User wrapped tokens get stuck in router contract. The can be stolen by someone performing a
swapExactTokensForTokens()
because it uses the whole balance of the contract when swapping:IERC20(wrappedTokenIn).balanceOf(address(this))
Code Snippet
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/JalaMasterRouter.sol#L284-L301
Tool used
Manual Review, foundry
Recommendation
In
JalaMasterRouter::swapExactTokensForETH()
multiply theamountIn
by decimal off set of the token:The text was updated successfully, but these errors were encountered: