Submission Details
Severity:
function claimAndSwap StrategyArb.sol
Summary
Function claimAndSwap from contract StrategyArb.sol does not check for insufficient balance.
Vulnerability Details
The function assumes that _amountClaim has sufficient balance but this might not be true. Missing this check creates a mismatch between the assumed and actual state of the contract, leading to inconsistencies or unexpected failures.
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Impact
Swap could fail due to insufficient balance.
Tools Used
Manual review.
Recommendations
Add a require to check for balance before claim.
This ensures the contract has enough balance (balBefore) before executing.
function claimAndSwap(uint256 _amountClaim, uint256 _minOut, IRamsesRouter.route[] calldata _path) external onlyKeepers {
transmuter.claim(_amountClaim, address(this));
uint256 balBefore = asset.balanceOf(address(this));
_swapUnderlyingToAsset(_amountClaim, _minOut, _path);
uint256 balAfter = asset.balanceOf(address(this));
require((balAfter - balBefore) >= _minOut, "Slippage too high");
require(balBefore >= _amountClaim, "Insufficient balance before claim");
transmuter.deposit(asset.balanceOf(address(this)), address(this));
}
Prize pool breakdown
Total prize
16,653 OP
nSLOC
25366
OP / LOC
15,800
853
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.