Missing Base Fee Check in initiateSwap Can Lead to Stuck Funds
Summary
The initiateSwap function in StabilityBranch.sol does not enforce a check to ensure that the amount a user is trying to swap is greater than the base fee. This can result in tokens getting stuck in the contract if the swap is not fulfilled.
Vulnerability Details
When a user initiates a swap via initiateSwap, the function transfers amountsIn[i] of the USD token to the contract but does not verify that this amount exceeds the base fee (baseFeeUsd). Later, if the swap request expires and the user attempts to refund their tokens via refundSwap, the function deducts the base fee before refunding the remainder. If the initial amountIn is less than baseFeeUsd, the refund amount becomes negative, leading to the transaction reverting and preventing users from reclaiming their funds.
Impact
Users who initiate swaps with an
amountInsmaller thanbaseFeeUsdwill be unable to recover their funds if the swap is not fulfilled.The contract will accumulate stuck tokens over time, leading to potential loss of user funds.
Tools Used
Manual code review
Recommendations
-
Add a check in
initiateSwapto ensure thatamountsIn[i]is greater thanbaseFeeUsd. Example fix:if (amountsIn[i] <= tokenSwapData.baseFeeUsd) {revert Errors.InsufficientAmountForSwap(amountsIn[i], tokenSwapData.baseFeeUsd);} -
Consider implementing a mechanism to allow protocol administrators to recover stuck tokens if necessary.
Lead Judging Commences
initiateSwap can be called with amount < than base fee, making the refund function revert due to underflow - funds stuck
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.