Platform: Code4rena
Start Date: 24/03/2022
Pot Size: $75,000 USDC
Total HM: 15
Participants: 59
Period: 7 days
Judge: gzeon
Id: 103
League: ETH
Rank: 31/59
Findings: 1
Award: $385.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: kirk-baird
Also found by: TomFrenchBlockchain, VAD37, WatchPug, hyh, rayn, wuwe1
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/Swapper.sol#L14-L21 https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Libraries/LibSwap.sol#L42
_executeSwaps will revert if multiple swaps are performed and msg.value > 0, preventing the use of the native asset.
A core feature of DEX aggregators is that they allow users to split a single trade across multiple DEXs, this is the intention behind the _executeSwaps function.
However when executing a swap in the LibSwap library it attaches the full value of msg.value onto all external calls to DEXs. This means that unless each DEX returns msg.value of the native asset back to Lifi.sol then the next call will revert due to insufficient ETH to attach to the call. The protocol will then not function for a core capability.
Note this also allows users to drain any ETH which is left sitting on the Lifi contract by setting msg.value equal to Lifi's balance and performing 2 trades which use ETH as the input and sending the output to their address (leaking value).
Rather than attaching msg.value to the external call unconditionally, only add fromAmount if LibAsset.isNativeAsset(fromAssetId)
Add tests for native asset handling to the test suite.
#0 - gzeoneth
2022-04-16T17:38:48Z
Duplicate of #86