The Lack of a Token Pair Pool Upon Calling `SmartVaultV3.swap` Can Expose The SmartVaultV3 Owner to Malicious Pool Creation, and Lost Funds
Summary
In scenarios where some tokens do not have Uniswap V3 pools with WETH, a malicious actor can exploit this by front-running a transaction and establishing a pool with a disproportionately unbalanced liquidity ratio. This tactic has the potential to result in the theft of funds.
Vulnerability Details
The SmartVaultV3.swap function, upon invocation, internally executes executeERC20SwapAndFee for ERC20 to ERC20 pairs, and executeNativeSwapAndFee for ETH to ERC20 pairs. This process employs exactInputSingle via Uniswap V3's SwapRouter. In the absence of an existing pool between the tokens in question, the transaction attempt fails. A malevolent entity can take advantage of this gap by pre-empting the transaction, creating a pool with a significantly distorted price, thus enabling the appropriation of tokens.
Impact
Predominantly, the tokens become irrecoverable due to the adverse exchange rate. Nonetheless, such occurrences are infrequent, as most tokens are already paired in Uniswap V3, which results in a medium-severity classification for this vulnerability.
Tools Used
Manual Review
Recommendations
A viable strategy is to employ swapExactInputMultihop with a designated path that initially converts the less prevalent token into a more liquid one, such as USDC. This method aligns more effectively with the contract's requirements due to the diverse nature of the tokens it manages.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.