QuickSwap and StellaSwap contest - 8olidity's results

Lines of code

https://github.com/code-423n4/2022-09-quickswap/blob/main/src/core/contracts/AlgebraFactory.sol#L91

Vulnerability details

Impact

Improper vaultAddress Settings can cause financial damage

Proof of Concept

  // src/core/contracts/AlgebraFactory.sol
  function setVaultAddress(address _vaultAddress) external override onlyOwner {
    require(vaultAddress != _vaultAddress);
    emit VaultAddress(_vaultAddress);
    vaultAddress = _vaultAddress;
  }

In the pool, _payCommunityFee() is called to transfer the processing fee to the Vault address.

    if (communityFee > 0) {
      _payCommunityFee(zeroToOne ? token0 : token1, communityFee);
    }

If Vault is 0 address, then communityFee will be lost

If vault is the address of token0 or token1, then balanceToken0(),balanceToken1() in the pool will be affected.

  function _payCommunityFee(address token, uint256 amount) private {
    address vault = IAlgebraFactory(factory).vaultAddress();
    TransferHelper.safeTransfer(token, vault, amount);
  }

Tools Used

vscode

Recommended Mitigation Steps

check vault address