Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

recipient always is caller when swapping on curve, lead to token become stuck in the contract

zukanopro

Vulnerability Details

In CurveAdapter#executeSwapExactInputSingle() function, it will call to curve to swap token through exchange_with_best_rate() function:

function executeSwapExactInputSingle(SwapExactInputSinglePayload calldata swapPayload)

external

returns (uint256 amountOut)

{

// transfer the tokenIn from the send to this contract

IERC20(swapPayload.tokenIn).transferFrom(msg.sender, address(this), swapPayload.amountIn);

// approve the tokenIn to the swap router

address curveStrategyRouterCache = curveStrategyRouter;

IERC20(swapPayload.tokenIn).approve(curveStrategyRouterCache, swapPayload.amountIn);

// get the expected output amount

uint256 expectedAmountOut = getExpectedOutput(swapPayload.tokenIn, swapPayload.tokenOut, swapPayload.amountIn);

// Calculate the minimum acceptable output based on the slippage tolerance

uint256 amountOutMinimum = calculateAmountOutMin(expectedAmountOut);

return ICurveSwapRouter(curveStrategyRouterCache).exchange_with_best_rate({ // <--

_from: swapPayload.tokenIn,

_to: swapPayload.tokenOut,

_amount: swapPayload.amountIn,

_expected: amountOutMinimum,

_receiver: swapPayload.recipient // <--

});

}

In exchange_with_best_rate function, receiver is always caller, which is CurveAdapter contract:

def exchange_with_best_rate(

_from: address,

_to: address,

_amount: uint256,

_expected: uint256,

_receiver: address = msg.sender, // <--

)

And after swapping, it do not transfer token to actual recipient, lead to token stuck in the contract

Impact

Swapped token stuck in the contract

Recommendations

In CurveAdapter#executeSwapExactInputSingle() function, transfer token to recipient after swapping

Updates

Lead Judging Commences

inallhonesty Lead Judge

4 months ago

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.