Assessment reportsPublic findings
Back to Zellic site
Assessment reports>STFX>High findings>ABI-encoded inputs can mismatch specified amount
GeneralOverview
Findings
High (1)ABI-encoded inputs can mismatch specified amount
Medium (4)
DiscussionCentralizationEighteen-decimal compliance
Threat ModelsWhat are threat models?spot.solswap.soltrade.solvesting.solvestingFactory.sol
Audit ResultsSummary
Category: Coding Mistakes

ABI-encoded inputs can mismatch specified amount

High Severity
High Impact
Medium Likelihood

Description

A manager or admin can execute a swap via Uniswap's universal router. However, they can potentially cause a mismanagement of funds if they abi.encode a different value in the inputs parameter than what is specified in the amountIn parameter for the swap.

Impact

The following function permits the swap:

function swapUniversalRouter(
    address tokenIn,
    address tokenOut,
    uint160 amountIn,
    bytes calldata commands,
    bytes[] calldata inputs,
    ...
) external override onlyTrade returns (uint96) {
    ...
    if (deadline > 0) universalRouter.execute(commands, inputs, deadline);
    ...
}

As seen in this snippet, universalRouter.execute(commands, inputs, deadline) has no accordance to the amountIn parameter and thus inputs, which is supposed to encode the amountIn, can be a different value. The protocol uses amountIn for its internal accounting and therefore can become out of sync.

Recommendations

We recommend extracting the amountIn from the ABI-encoded inputs function param.

Remediation

STFX acknowledged and resolved the issue in fb58bb9f

Zellic © 2024Back to top ↑