Part 2

Summary

The function refundSwap allows user to pass an arbitrary engine address, enabling them to withdraw USD tokens from an unintended engine. This could lead to:

• Draining USD tokens from the contract.

• Preventing legitimate swap orders from being fulfilled due to missing funds.

Vulnerability Details

The function retrieves the USD token associated with the provided engine:

There is NO check if engine is the correct one for the requestId!

• The attacker can create a malicious order which will not get executed.

• After the order passes deadline, the attacker will look for legitimate orders.

• A user will submit a swap request.

• Before users swap request is processed, the attacker will call refundSwap with the engine address from user's created order

• Attacker will get the usd token from user's order and due to shortage of token, the swap will fail.

Attack Scenario

1. Attacker submits a swap request worth 100e18 usd associated with engine_A.

2. Attacker waits until dealine passes.

3. A user submits a swap request worth 100e18 usd associated with engine_B.

4. The attacker calls refundSwap but pass engine_B instead of engine_A before keeper can process user's swap request

5. The refundSwap will get user's usd which is associated with engine_B

6. When keeper calls fulfillSwap to complete the swap, it will fail due to lack of usd token assciated with engine_B which has to be burned

Impact

• Unauthorized token withdrawals from the contract associated with different engine.

• Legitimate users' funds will be stolen, preventing swaps from being completed.

Recommendation

Verify the engine address passed matches the swap request's vault's engine before transferring USD token back to user