Description

Since liquidity-pair contacts can be invoked directly, the fees charged by the router contract can be avoided by manually performing multi-leg swaps.

Impact

The router cannot strictly enforce fee collection.

Recommendations

This can be deemed an acceptable compromise. If router fees must be enforced, the liquidity-pair contract could be modified to enforce all calls to come from the address of the router.

Remediation

The current behavior is an acceptable compromise between doing nothing and doing something a lot more complicated. We’re going to leave it as-is.