Revert Lend - Myd's results

Lines of code

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/Swapper.sol#L73-L118 https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/Swapper.sol#L73-L118

Vulnerability details

Details

_routerSwap relies on the correctness and security of the external routers (0x Router and Universal Router). If there are vulnerabilities or exploits in these external contracts, an attacker could potentially craft malicious calldata to exploit the Revert Lend protocol.

The function does not have built-in mechanisms to detect or prevent such attacks.

Another issue is that the_routerSwap function does not have a deadline or expiration time for the swap, which could expose the protocol to potential front-running or sandwich attacks.

Impact

An attacker could potentially:

• Manipulate the swap process to their advantage
• Drain funds from the protocol
• Execute unauthorized actions
• Inflate prices or manipulate market conditions

Proof of Concept

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/Swapper.sol#L73-L118

function _routerSwap(RouterSwapParams memory params)
    internal
    returns (uint256 amountInDelta, uint256 amountOutDelta)
{
    // ...
    (address router, bytes memory routerData) = abi.decode(params.swapData, (address, bytes));

    if (router == zeroxRouter) {
        ZeroxRouterData memory data = abi.decode(routerData, (ZeroxRouterData));
        // ...
        (bool success,) = zeroxRouter.call(data.data);
        // ...
    } else if (router == universalRouter) {
        UniversalRouterData memory data = abi.decode(routerData, (UniversalRouterData));
        // ...
        IUniversalRouter(universalRouter).execute(data.commands, data.inputs, data.deadline);
    }
    // ...
}

The above shows that the _routerSwap function decodes the swap data based on the router address and directly calls the external router contracts (zeroxRouter.call and IUniversalRouter(universalRouter).execute) without performing any additional validation or checks on the swap data itself.

2. Lack of Deadline or Expiration Time: The _routerSwap function does not have a built-in mechanism to enforce a deadline or expiration time for the swap. This could expose the protocol to potential front-running or sandwich attacks.

Impact

Without a deadline or expiration time, an attacker could:

• Front-run the swap transaction by observing it in the mempool and executing their own transaction with a higher gas price.
• Perform a sandwich attack by placing orders before and after the swap transaction to manipulate the price and profit from the price movement.

https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/utils/Swapper.sol#L73-L118

function _routerSwap(RouterSwapParams memory params)
    internal
    returns (uint256 amountInDelta, uint256 amountOutDelta)
{
    // ...
    if (router == zeroxRouter) {
        // ...
        (bool success,) = zeroxRouter.call(data.data);
        // ...
    } else if (router == universalRouter) {
        // ...
        IUniversalRouter(universalRouter).execute(data.commands, data.inputs, data.deadline);
    }
    // ...
}

In the code above demonstrates that the _routerSwap function does not have any built-in checks for a deadline or expiration time. It directly executes the swap without considering the time sensitivity of the transaction.

Tools Used

vs code

Recommended Mitigation Steps

Verify that the swap data does not contain any malicious instructions or unauthorized actions. Consider implementing a whitelist of approved external routers and swap data formats.

Add a deadline or expiration time check to the _routerSwap function to prevent front-running and sandwich attacks.

Assessed type

Other