Stuck Funds
Summary
In StabilityBranch swap requests are first initiated through initiateSwap and then either fulfilled through fulfillSwap or refunded through refundSwap. For both fulfilling and refunding there is a base fee which is paid by the user - when fulfilled through the out amount and when refunded through the in amount. The problem is that a swap request can be initiated with such amount that cannot be either fulfilled or refunded due to a revert.
Vulnerability Details
In StabilityBranch swap requests are first initiated through initiateSwap and then either fulfilled through fulfillSwap or refunded through refundSwap. For both fulfilling and refunding there is a base fee which is paid by the user - when fulfilled through the out amount and when refunded through the in amount. The problem is that a swap request can be initiated with such amount that cannot be either fulfilled or refunded due to a revert. This happens because the base fee does not rely on the amount. If such a swap is created by a user (the system will let him to do so), his funds will be stuck without a way to get them back.
Impact
Stuck funds and loss of user trust.
Tools Used
Manual Review
Recommendations
Either change the way the base fee is calculated (for example as a percentage of the amount) or create a function that can be called only by the admin/owner to restore stuck funds from the contract.
Lead Judging Commences
initiateSwap can be called with amount < than base fee, making the refund function revert due to underflow - funds stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.