086.md

Gorgeous Jade Falcon

High

Swapper Role Incorrectly Uses msg.value Causing Potential issues

Summary

The incorrect usage of msg.value in the _buyBack function will cause a potential loss for the protocol as the SWAPPER_ROLE user cannot provide POL directly, leading to swap failures or possible mismanagement of POL funds.

Root Cause

In AmirX.sol: 232, msg.value is used to conduct swaps for POL tokens, which should instead use address(this).balance.

Internal pre-conditions

1. SWAPPER_ROLE calls _buyBack for a fee buyback operation using POL.
2. The protocol holds a POL balance from previous transactions or collected fees.

External pre-conditions

1. The aggregator expects a non-zero POL amount to execute the swap successfully.
2. SWAPPER_ROLE is unable to send msg.value as part of the contract transaction, causing failure.

Attack Path

1. The SWAPPER_ROLE initiates _buyBack with POL selected as feeToken.
2. _buyBack calls the aggregator using msg.value, which will be zero from the caller (SWAPPER_ROLE).
3. The transaction fails or completes without using the POL balance on the contract, causing a failed buyback or remaining POL in the contract.

Impact

The protocol suffers a potential loss of POL due to failed swaps or inconsistent buyback behavior, as SWAPPER_ROLE cannot complete swaps correctly.

PoC

No response

Mitigation

Use address(this).balance instead of msg.value for POL transactions within _buyBack.

function _buyBack(ERC20 feeToken, address aggregator, address safe, bytes memory swapData) internal {
    if (address(feeToken) == POL) {
        uint256 polBalance = address(this).balance; <<<<@
        (bool polSwap, ) = aggregator.call{value: polBalance}(swapData); <<<<@ remove msg.value
        require(polSwap, "AmirX: POL swap transaction failed");
    }
}