The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Get token discrepencies

wardenpaul

Summary

SmartVaultV3 fetches token by symbol in 2 different ways opening the possibility for different results.

Vulnerability Details

Smart vault has a function to get token by the symbol:

function getToken(bytes32 _symbol) private view returns (ITokenManager.Token memory _token) {
ITokenManager.Token[] memory tokens = getTokenManager().getAcceptedTokens();
for (uint256 i = 0; i < tokens.length; i++) {
if (tokens[i].symbol == _symbol) _token = tokens[i];
}
require(_token.symbol != bytes32(0), "err-invalid-swap");
}

However, it is confusing because some functions use this function to get the token and some functions get it from the manager, e.g.:
getTokenManager().getToken(NATIVE), getTokenManager().getToken(_symbol)
The token manager contract is not provided in scope so it is hard to assume if these functions return identical results, but I believe it is a valid concern to unify the usage across contracts.

Impact

getToken() and getTokenManager().getToken() might behave differently and cause discrepancies in the contract. It would be better to leave only one contract responsible for this information.

Tools Used

Manual review.

Recommendations

Make sure that implementations are correct and if possible use the same way of getting the token in all cases.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.