Skip to content

Latest commit

 

History

History
91 lines (66 loc) · 2.92 KB

057.md

File metadata and controls

91 lines (66 loc) · 2.92 KB

Basic Lilac Marmot

High

anyone can steal swapping token

Summary

Summary

function deposit(uint256 _assets, address _receiver) external override returns (uint256 _shares) {
  _processRewardsToPodLp(0, block.timestamp);
  _shares = _convertToShares(_assets, Math.Rounding.Floor);
  _deposit(_assets, _shares, _receiver);
}

Anyone can deposit tokens through the deposit function, which will invoke the _processRewardsToPodLp function in the process.

address _rewardsToken = pod.lpRewardsToken();
if (_token != _rewardsToken) {
  **_amountOut = _swap(_token, _swapOutputTkn, _amountIn, 0);**
  if (IS_PAIRED_LENDING_PAIR) {
      _amountOut = _depositIntoLendingPair(_pairedLpToken, _swapOutputTkn, _amountOut);
  }
  return _amountOut;
}
try DEX_ADAPTER.swapV3Single(
  _rewardsToken,
  _swapOutputTkn,
  REWARDS_POOL_FEE,
  _amountIn,
  **0, // _amountOutMin can be 0 because this is nested inside of function with LP slippage provided**
  address(this)
) returns (uint256 __amountOut) {
  _tokenToPairedSwapAmountInOverride[_rewardsToken][_swapOutputTkn] = 0;
  _amountOut = __amountOut;

  // if this is a self-lending pod, convert the received borrow token
  // into fTKN shares and use as the output since it's the pod paired LP token
  if (IS_PAIRED_LENDING_PAIR) {
      _amountOut = _depositIntoLendingPair(_pairedLpToken, _swapOutputTkn, _amountOut);
  }
} catch {
  _tokenToPairedSwapAmountInOverride[_rewardsToken][_swapOutputTkn] =
      _amountIn / 2 < _minSwap ? _minSwap : _amountIn / 2;
  IERC20(_rewardsToken).safeDecreaseAllowance(address(DEX_ADAPTER), _amountIn);
  emit TokenToPairedLpSwapError(_rewardsToken, _swapOutputTkn, _amountIn);
}

In the process of executing these functions, the _tokenToPairedLpToken function is called, and during that process, the token is swapped. Since the amountOutMin is set to 0, it is possible for front-running or forced function calls to steal tokens during the swap process.

Root Cause

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/AutoCompoundingPodLp.sol#L266 https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/AutoCompoundingPodLp.sol#L284 In the process of executing these functions, the _tokenToPairedLpToken function is called, and during that process, the token is swapped. Since the amountOutMin is set to 0, it is possible for front-running or forced function calls to steal tokens during the swap process.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

Since the _processRewardsToPodLp function can be called through the deposit function, the attack process is as follows:

  1. Adjust the liquidity of the swap pool to make it disadvantageous for the swap amount.
  2. Perform the swap through the deposit function.
  3. Profit

Impact

can steal all swapping tokens

PoC

No response

Mitigation

No response