By calling `SwapRouterMock::exactInputSingle` function anyone can exchange his non value ERC20 tokens to any valuable ERC20 token due to no check implemented.
By calling SwapRouterMock::exactInputSingle function anyone can exchange his non value ERC20 tokens to any valuable ERC20 token due to no check implemented.
Vulnerability Details
Since SwapRouterMock doesn't have any pool pairs or whitelisted tokens list nor it is using any priceFeed to know the relative other token price in terms of first token before exchanging. It is just taking Any type of ERC20 token in tokenIn and giving same amount of tokenOut ERC20 tokens. So anyone can call this exactInputSingle function and get the desired ERC20 token whatever this SwapRouterMock holds by passing his non-valuable erc20 tokens just created by himself also.
contracts/mock/SwapRouterMock.sol#L8-L12
Impact
Attacker can drain all type of ERC20 tokens from SwapRouterMock whichever it has by giving it non-value ERC20 tokens which worths nothing.
Tools Used
Manual Review
Recommended Mitigation
Add some type of whitelist of tokens pairs which can be exchanged and their pairs priceFeed is available on chainlink/Uniswap or any other oracle. Also use the priceFeed to calculate the amounts of tokenOut what will be given out to the user in exchange of tokenIn.
Lead Judging Commences
SwapRouterMock/NonfungiblePositionManagerMock doesn't take into account prices or token pairs or any traditional protection mechanisms of Uniswap
SwapRouterMock/NonfungiblePositionManagerMock doesn't take into account prices or token pairs or any traditional protection mechanisms of Uniswap
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.