Decent - monrel's results

Lines of code

https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/swappers/UniSwapper.sol#L138 https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/swappers/UniSwapper.sol#L159

Vulnerability details

Impact

If the price changes enough the post-bridge swap will revert due to the slippage protection. Funds will not be refunded but instead stay in StarGateBridgeAdatper.

The swap can be attempted again by calling clearCachedSwap() on stargate Router but since the swap parameter can not be updated funds can be trapped for a long period of time or potentially stuck forever if the price never returns to a level that matches the initial parameters.

Proof of Concept

Steps showing sgReceive() can revert and leave funds in StargateBridgeAdapter:

Before sgReceive() is called it receives the bridged funds.

sgReceive() calls IUTB(utb).receiveFromBridge() where a swap is attempted.L209

_swapAndExecute(postBridge, target, paymentOperator, payload, refund);

Where swap() L95 is called on UniSwapper to subsequently call Univ3Router to either swap for exact input or exact output.

If we are swapping for exact input the call looks like this L138

amountOut = IV3SwapRouter(uniswap_router).exactInput(params);

which revert on these conditions L28

require(amountOut >= params.amountOutMinimum, 'Too little received');

If the slippage is high enough this transaction reverts and the funds are left in StargateBridgeAdapter.

If the price never recovers all subsequent calls to sgReceive() with clearCachedSwap() will also fail.

Tools Used

vscode,

Recommended Mitigation Steps

Catch the revert and refund the user on the destination chain if the a swap fails.

Assessed type

Uniswap