Category: Business Logic
Potential lock-up of funds in FractalVaultV1 as anySwap Router is not approved
Medium Severity
Medium Impact
Medium Likelihood
Description
The FractalVaultV1 does not approve the anySwap router before executing anySwapOut
-Underlying
, and would fail all the withdrawal attempts.
function withdrawToLayerOne(...) {
...
emit WithdrawToLayerOne(msg.sender, amount);
anySwapRouter.anySwapOutUnderlying(anyToken, anyswapRouter, amount, chainId);
}
Impact
The FractalVaultV1 will never be able to withdraw to LayerOne. Though the recoverERC20
function can be used in an emergency to manually transfer funds as a backup functionality; however, this is likely not the intended flow of funds.
Recommendations
Approve AnySwap router before anySwapOutUnderlying
.
Remediation
The issue has been acknowledged by Fractal.