MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Validation when `_editParams`

vineyard

Summary

When setting params in L2TokenReceiver, the tokenIn and tokenOut can be the same.

Vulnerability Details

There is no limitation to avoid the tokenIn and tokenOut in params from being the same,

function _editParams(SwapParams memory newParams_) private {
require(newParams_.tokenIn != address(0), "L2TR: invalid tokenIn");
require(newParams_.tokenOut != address(0), "L2TR: invalid tokenOut"); //@audit missing validation if tokenIn == tokenOut
TransferHelper.safeApprove(newParams_.tokenIn, router, type(uint256).max);
TransferHelper.safeApprove(newParams_.tokenIn, nonfungiblePositionManager, type(uint256).max);
TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);
params = newParams_;
}

if tokenIn is equal to tokenOut, several problems might arise:

  • Operations like swap and increaseLiquidityCurrentRange may be blocked since token 0 and token 1 would be identical.

  • Compatibility issues with certain tokens may occur during params updates through _editParams, such as with USDT:

TransferHelper.safeApprove(newParams_.tokenIn, nonfungiblePositionManager, type(uint256).max);
TransferHelper.safeApprove(newParams_.tokenOut, nonfungiblePositionManager, type(uint256).max);

Because USDT requires allowance to be zero before the approve:

require(!((_value != 0) && (allowed[msg.sender][_spender] != 0)));

Impact

Functionality can be blocked.

Tools Used

Manual

Recommendations

It is advised to introduce a check to ensure tokenIn and tokenOut are not the same.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.