First Flight #18: T-Swap

First Flight #18
Beginner FriendlyDeFiFoundry
100 EXP
View results
Submission Details
Severity: medium
Invalid

PoolFactory::createPool missing WETH token address check, allowing unintended WETH/WETH pools

Summary

The createPool function in the PoolFactory contract fails to check if the tokenAddress is equal to i_wethToken. This oversight permits the creation of pools where both tokens are WETH, contrary to the intended design which only supports Token/WETH pools

Vulnerability Details

The createPool function is designed to create liquidity pools with a given token and WETH. However, the function does not include a required check to prevent the creation of a pool with WETH as both the base token and the liquidity token. This can lead to the creation of WETH/WETH pools, which are not supported and can cause unexpected behavior in the pool management system.

Impact

Fee Generation Issues: The creation of WETH/WETH pools allows fees (0.03%) to be generated without actual asset exchange, which can mislead fee distribution mechanisms and affect the expected revenue streams from the liquidity pools.

Operational Inefficiencies: WETH/WETH pools do not facilitate meaningful liquidity provision or trading opportunities since there is no actual exchange of assets. This can lead to wasted gas fees and blockchain resources.

Financial Risks: Users might inadvertently interact with WETH/WETH pools expecting standard Token/WETH functionality, potentially leading to unintended financial losses or misunderstandings.

Tools Used

Manual Code Review
Foundry Unit Test

POC

contract Base is Test {
PoolFactory factory;
TSwapPool pool;
ERC20Mock token;
ERC20Mock weth;
address Lp = makeAddr("LiquidityProvider");
uint256 LpBalance = 100000000 * 10 **18 ;
function setUp() public {
token = new ERC20Mock();
weth = new ERC20Mock();
factory = new PoolFactory(address(weth));
pool = new TSwapPool(address(token),address(weth), "ERC20Mock" , 'E20M');
token.mint(Lp, LpBalance);
weth.mint(Lp, LpBalance);
}
function test_CreatePoolWethToWeth() public {
vm.startPrank(Lp);
address poolAddress = factory.createPool(address(weth));
assertEq(poolAddress, factory.getPool(address(weth)));
assertEq(address(weth), factory.getToken(poolAddress));
}

Recommendations

include a require statement to check that tokenAddress is not equal to i_wethToken:

function createPool(address tokenAddress) external returns (address) {
if (s_pools[tokenAddress] != address(0)) {
revert PoolFactory__PoolAlreadyExists(tokenAddress);
}
++ require(tokenAddress != i_wethToken, "WETH token address is not allowed");
string memory liquidityTokenName = string.concat("T-Swap ", IERC20(tokenAddress).name());
string memory liquidityTokenSymbol = string.concat("ts", IERC20(tokenAddress).symbol());
TSwapPool tPool = new TSwapPool(tokenAddress, i_wethToken, liquidityTokenName, liquidityTokenSymbol);
s_pools[tokenAddress] = address(tPool);
s_tokens[address(tPool)] = tokenAddress;
emit PoolCreated(tokenAddress, address(tPool));
return address(tPool);
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
chaossr Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.