Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Fractal Protocol>Medium findings>Potential lock-up of funds in FractalVaultV1 as anySwap Router is not approved
GeneralOverview
Findings
High (2)
Medium (1)FractalVaultV1 potential lock-up
Low (1)
Informational (4)
DiscussionNotable observations
Category: Business Logic

Potential lock-up of funds in FractalVaultV1 as anySwap Router is not approved

Medium Severity
Medium Impact
Medium Likelihood

Description

The FractalVaultV1 does not approve the anySwap router before executing anySwapOut-Underlying, and would fail all the withdrawal attempts.

function withdrawToLayerOne(...) {
	...
	emit WithdrawToLayerOne(msg.sender, amount);
	anySwapRouter.anySwapOutUnderlying(anyToken, anyswapRouter, amount, chainId);
}

Impact

The FractalVaultV1 will never be able to withdraw to LayerOne. Though the recoverERC20 function can be used in an emergency to manually transfer funds as a backup functionality; however, this is likely not the intended flow of funds.

Recommendations

Approve AnySwap router before anySwapOutUnderlying.

Remediation

The issue has been acknowledged by Fractal.

Zellic © 2024Back to top ↑