First Flight #18: T-Swap
First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Tokens with hooks ERC777

agent3bood

Summary

ERC77 define hooks before and after all interaction with the token, before transfer and after transfer, will allow attacker to reenter the pool contract.

Vulnerability Details

The attacker can reenter the contract whenever the pool does transfer from/to the user, the possibilities are unlimited when the attacker can reenter the contract.

For example

Attacker add liquidity, the attack steps can be like

  1. pool transfers weth from the attacker to the pool

  2. hook is called on the attacker contract after the transfer of funds and he can reenter now

  3. the amount of weth in the pool is high now, the price of weth is low, the price of poolToken is higher.

  4. attacker swap poolTokens for weth at higher price, making profit.

  5. end of reentrancy

  6. the pool transfer poolTokens from the attacker to the pool to complete the deposit.

function _addLiquidityMintAndTransfer(
uint256 wethToDeposit,
uint256 poolTokensToDeposit,
uint256 liquidityTokensToMint
) private {
_mint(msg.sender, liquidityTokensToMint);
emit LiquidityAdded(msg.sender, poolTokensToDeposit, wethToDeposit);
// Interactions
i_wethToken.safeTransferFrom(msg.sender, address(this), wethToDeposit); // <<<step #2
i_poolToken.safeTransferFrom( // <<<< step #6
msg.sender,
address(this),
poolTokensToDeposit
);
}

Impact

Attacker can drain the whole pool.

Tools Used

Manual review.

Recommendations

Either disallow tokens with hooks, or add reentrance protection.

Updates

Appeal created

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Too generic
Assigned finding tags:

ERC777

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.