First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Code Injection Via Token Name

4rdiii

[L-02] Code Injection Via Token Name

Description:
Some malicious tokens have been observed to include malicious javascript in their name attribute, allowing attackers to extract private keys from users who choose to interact with these tokens via vulnerable frontends.
This has been used to exploit etherdelta users in the wild reference.

function createPool(address tokenAddress) external returns (address) {
if (s_pools[tokenAddress] != address(0)) {
revert PoolFactory__PoolAlreadyExists(tokenAddress);
}
string memory liquidityTokenName = string.concat(
"T-Swap ",
@> IERC20(tokenAddress).name()
string memory liquidityTokenSymbol = string.concat(
"ts",
@> IERC20(tokenAddress).name()
);
TSwapPool tPool = new TSwapPool(
tokenAddress,
i_wethToken,
liquidityTokenName,
liquidityTokenSymbol
);
s_pools[tokenAddress] = address(tPool);
s_tokens[address(tPool)] = tokenAddress;
emit PoolCreated(tokenAddress, address(tPool));
return address(tPool);
}

Impact:
Since there is no checks on erc20 name and symbol of the token being imported there is possibility of script injection via token name.

Recommended Mitigation:
As also recommended by the previous audit, it's absolutely necessary to sanitize the user's input on the safeAssetSymbol function as the length check is not enough. The asset symbol should only contain Aa-Zz and 0-9 characters while forbidding special ones, i.e. < / >.

Updates

Appeal created

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.