Mistakenly received WETH amount will be frozen in the vault.
Summary
Mistakenly received WETH amount will be frozen in the vault.
Vulnerability Details
If an owner makes a mistake while calling the swap function with bytes32 _outToken, the address of WETH will be assigned to tokenOut.
tokenOut: getSwapAddressFor(_outToken)
The swap between ERC20 -> WETH or Native -> WETH will be executed and the vault contract will receive WETH as a result.
To transfer back mistakenly received WETH, the owner should set tokenIn to be equal to the WETH address, which can be done if _inToken == NATIVE. Unfortunately, this will lead to the calling of the executeNativeSwapAndFee function where _params.amountIn is equal to the received WETH.
ISwapRouter(ISmartVaultManagerV3(manager).swapRouter2()).exactInputSingle{value: _params.amountIn}(_params);
The owner should send the entire amount of desired WETH as a tax, which may be too large for swapping.
Every mistakenly made swap will cause the vault to receive a certain amount of WETH, which will be blocked until the owner pays a very large tax.
Impact
Mistakenly received WETH amount will be frozen in the vault.
Tools Used
Manual Review
Recommendations
Do not assign the WETH address to tokenOut by default if _outToken is the wrong value.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.