Part 2
Zaros
PerpetualsDEXFoundrySolidity
70,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Reentrancy Exploit in _convertAssetsToUsdc and _convertUsdcToAssets functions in CreditDelegationBranch.sol: Vault Draining via Malicious DEX Adapter

nitinaimshigh

Summary

The contract uses UniswapV2Adapter and UniswapV3Adapter, which are well-known DEX adapters.

But the contract does not directly enforce that dexAdapter is always Uniswap.

An attacker could trick the contract into using a fake adapter with the same function signatures as Uniswap but malicious logic inside.

Vulnerability Details

The functions do not follow the Checks-Effects-Interactions (CEI) pattern, making them vulnerable to reentrancy and state inconsistencies.

The function makes an external call to the DEX adapter before updating internal state:

IERC20(asset).approve(dexSwapStrategy.dexAdapter, assetAmount);
usdcOut = dexSwapStrategy.executeSwapExactInputSingle(swapCallData);

Why is this dangerous?

  • If dexAdapter is malicious, it can re-enter the function before state updates occur.

  • If the swap fails, the contract state remains unchanged, leading to inconsistencies and possible fund loss.

Impact

Reentrancy risk

Swap Manipulation

Failed Swaps Leave Inconsistent State

Tools Used

Manual Review

Recommendations

Check inputs first

Deduct fees & update internal state before calling dexAdapter

Execute swaps only after internal state is updated

Validate swap results before finalizing execution

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.