Platform: Code4rena
Start Date: 19/01/2024
Pot Size: $36,500 USDC
Total HM: 9
Participants: 113
Period: 3 days
Judge: 0xsomeone
Id: 322
League: ETH
Rank: 66/113
Findings: 1
Award: $17.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
17.3003 USDC - $17.30
For make swap and execute transaction on the same chain, user should call function swapAndExecute, which have modifier retrieveAndCollectFees(). Protocol takes fee from user for swapping and execution transaction.
function swapAndExecute( SwapAndExecuteInstructions calldata instructions, FeeStructure calldata fees, bytes calldata signature ) public payable retrieveAndCollectFees(fees, abi.encode(instructions, fees), signature) // <---------------- { _swapAndExecute( instructions.swapInstructions, instructions.target, instructions.paymentOperator, instructions.payload, instructions.refund ); }
But, user could not pay fees and call internal function _swapAndExecute, using other external function. So, protocol will not receive a commission
User can call UTB.receiveFromBridge()
Manual review
Add modifier to function receiveFromBridge with access-control, which will accept calls only from bridge contract
Access Control
#0 - c4-pre-sort
2024-01-24T15:26:47Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-01-24T15:26:54Z
raymondfam marked the issue as duplicate of #15
#2 - raymondfam
2024-01-24T15:27:55Z
Insufficient elaboration on the dodging path.
#3 - alex-ppg
2024-02-03T12:21:42Z
A 75% award has been assigned due to an overall lower quality than the rest of the submissions.
#4 - c4-judge
2024-02-03T12:21:45Z
alex-ppg marked the issue as partial-75
#5 - c4-judge
2024-02-03T13:03:51Z
alex-ppg changed the severity to 2 (Med Risk)