Invalid Engine Parameter Allows Arbitrary USD Token Burning Leading to Fund Loss
Summary
The fulfillSwap function accepts an engine parameter from the caller (keeper) without validating it against the vault’s stored engine. This allows malicious keepers to burn an arbitrary USD token (e.g., USDTokenB) instead of the vault’s configured token (USDTokenA), leaving user deposits unburned and enabling theft of protocol reserves.
Vulnerability Details
Looking at the fulfillSwap function:
The engine parameter is provided by the caller (keeper) and directly used to fetch the USD token address from marketMakingEngineConfiguration.usdTokenOfEngine[engine]. The vault’s actual engine (stored in vault.engine) is never compared to the caller-provided engine. Therefore lets say a malicious keeper can pass an engine address unrelated to the vault, causing the contract to burn an incorrect USD token.
Impact
Attackers can drain reserves of any USD token held by the contract and also burning incorrect tokens disrupts the system’s financial integrity.
Tools Used
Manual code review.
Recommendations
Remove the engine parameter and derive it directly from the vault:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.