User can pass different engine in refundSwap
Summary
When a user requests a refund for a swap, they can provide a request ID and specify an engine. However, they are able to select an engine different from the one originally connected to the vault, potentially leading to inconsistencies in the refund process.
Vulnerability Details
Consider the following scenario:
A user initiates a swap request for Vault A, which is linked to Engine A.
The user sends USD tokens associated with Engine A.
During the
refundSwapprocess, the user can specify a different engine (e.g., Engine B), allowing them to receive a different type of USD token as a refund.
This discrepancy creates an opportunity for exploitation, as users may manipulate the system to receive refunds in unintended token types.
Impact
User can refund to themselfs, different USD token and benefit from this, when there is a drop of the price of the USD token assigned to their engine.
Tools Used
Manual review
Recommendations
To mitigate this issue, ensure that the refund process enforces the correct engine associated with the original swap request. Implement validation checks to prevent mismatched engine selections.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.