Part 2

Zaros

PerpetualsDEXFoundrySolidity

70,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

The refundSwap function does not enforce authorisation in the StabilityBranch contract

gbadebosmith

Summary

An access control vulnerability exists in the refundSwap(uint128,address) function of the StabilityBranch contract. The function does not enforce the onlyRegisteredSystemKeepers modifier, allowing any user to invoke the refund process. This can enable malicious actors to trigger unwanted or premature refunds of swap requests, potentially interfering with normal user operations and system integrity.

Vulnerability Details

Location:
- Contract: StabilityBranch
- Location: https://github.com/Cyfrin/2025-01-zaros-part-2/blob/35deb3e92b2a32cd304bf61d27e6071ef36e446d/src/market-making/branches/StabilityBranch.sol#L436-L490
- Function: refundSwap(uint128,address)
- Relevant File Snippet:
  function refundSwap(uint128 requestId, address engine) external {
  // missing onlyRegisteredSystemKeepers or similar access control
  ...
  }
Finding:
Because there is no access control modifier (e.g., onlyRegisteredSystemKeepers or equivalent) on refundSwap, any externally owned account can call this function. Attackers can maliciously refund a swap request, causing unwarranted token flows or blocking legitimate swaps from being fulfilled.

Impact

By exploiting the missing modifier, a malicious user could:

Disrupt Active Swaps: Force refunds of valid, in‐progress swap requests.
Cause Financial or Operational Damage: If refunds are executed unexpectedly, users could lose opportunities to execute favorable swaps, and the system might behave unpredictably.
Undermine Trust in the Platform: Users rely on the expectation that only authorized entities (keepers or administrators) can process certain sensitive functions. This vulnerability breaks that assumption.

Tools Used

Manual Code Review: The absence of an access control modifier was identified through direct inspection of refundSwap.

Recommendations

Restrict Access

Apply the onlyRegisteredSystemKeepers modifier (or a similarly restrictive modifier) to the refundSwap function.
Example:
function refundSwap(uint128 requestId, address engine)
external
onlyRegisteredSystemKeepers
{
...
}
This ensures that only privileged entities (trusted keepers) can execute this sensitive action.

Updates

Lead Judging Commences

inallhonesty Lead Judge

7 months ago

inallhonesty Lead Judge 6 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

70,000 USDC

nSLOC

3,258

21 USDC / LOC

High Medium

66,500

Low

3,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.