Skip to content

Latest commit

 

History

History
78 lines (54 loc) · 2.79 KB

050.md

File metadata and controls

78 lines (54 loc) · 2.79 KB

Cheery Holographic Swift

High

Native Tokens Will Not Be Used as a Fee Token for the DeFi Swap.

Summary

The fee of a Defi swap is paid to the protocol by users. Although the Defi swap is initiated by swappers, they do not pay any fee themselves. However, the AmirX::_buyBack() function incorrectly uses msg.value instead of address(this).balance, preventing native tokens (MATIC) from being used as a fee token.

Root Cause

The AmirX::_buyBack() function is implemented as follows:

    function _buyBack(
        ERC20 feeToken,
        address aggregator,
        address safe,
        bytes memory swapData
    ) internal {
        if (address(feeToken) == address(0)) return;
        if (address(feeToken) == POL) {
232:        (bool polSwap, ) = aggregator.call{value: msg.value}(swapData);
            require(polSwap, "AmirX: POL swap transaction failed");

            if (address(this).balance > 0) {
                (bool success, ) = safe.call{value: address(this).balance}("");
                require(success, "AmirX: POL send transaction failed");
            }
        } else {
            ------ SKIP ------
        }
    }

As shown, the function uses msg.value instead of address(this).balance when calling aggregator to buy back the fee as Telcoin. This implies that the swapper must pay the fee, as the swapper is the one calling the Defi swap function. This seems to be a misunderstanding by the developers, as the fee should be paid by the user's wallet in the following section of the Defi swap process:

    function _defiSwap(address wallet, DefiSwap memory defi) internal {
        //user's interaction
168:    (bool walletResult, ) = wallet.call{value: 0}(defi.walletData);
        require(walletResult, "AmirX: wallet transaction failed");

        _feeDispersal(defi);
    }

As a result, the _buyBack() function should use address(this).balance instead of msg.sender in line 232.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. A user wants to swap eUSD in their wallet for USDC, paying the fee in native tokens (MATIC).
  2. A swapper calls AmirX::defiSwap() on behalf of the user but the swapper doesn't send any MATIC with the transaction.
  3. The fee is transferred from user's wallet to the contract as MATIC in line 168.
  4. The aggregator fails to convert the fee to Telcoin because msg.sender is zero.
  5. As a result, the Defi swap fails.

Impact

Users can't use the native tokens (MATIC) to pay the fee for Defi swap.

PoC

No response

Mitigation

It is recommended to use address(this).balance instead of msg.sender in the AmirX::_buyBack() function.