Skip to content

Latest commit

 

History

History
63 lines (41 loc) · 2.17 KB

106.md

File metadata and controls

63 lines (41 loc) · 2.17 KB

Loud Snowy Marmot

Medium

Lack of Input Validation in setSwapMap and setMaxSwap

L0ckin7 Medium

Summary

The setSwapMap and setMaxSwap functions do not validate the input parameters (_in, _out, _amt). Code lacks input validation, which could lead to vulnerabilities or unexpected behavior.

Impact

This could lead to setting invalid or malicious swap configurations, invalid input addresses or amounts could cause the contract to behave unexpectedly. An attacker could exploit this lack of input validation to set malicious values, disrupting the contract's functionality or stealing funds. If malicious input is set, it could result in a loss of funds for users or the protocol.

Recommendations

Add input validation to ensure valid token addresses and reasonable swap amounts.

setSwapMap Function :

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/AutoCompoundingPodLp.sol#L418

Added validation for _in and _out to ensure they are not address(0).

Added validation for _pools.pool1 to ensure it is not address(0).

Optionally, you can add validation for _pools.pool2 if it is expected to be non-zero.

function setSwapMap(address _in, address _out, Pools memory _pools) external onlyOwner {
    require(_in != address(0), "Invalid input token address");
    require(_out != address(0), "Invalid output token address");
    require(_pools.pool1 != address(0), "Invalid pool1 address");
    // Optionally validate pool2 if it is expected to be non-zero
    // require(_pools.pool2 != address(0), "Invalid pool2 address");

    swapMaps[_in][_out] = _pools;
    emit SetSwapMap(_in, _out);
}

setMaxSwap Function :

https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/AutoCompoundingPodLp.sol#L423

Added validation for _in to ensure it is not address(0).

Added validation for _amt to ensure it is greater than 0.

function setMaxSwap(address _in, uint256 _amt) external onlyOwner {
    require(_in != address(0), "Invalid token address");
    require(_amt > 0, "Amount must be greater than 0");

    maxSwap[_in] = _amt;
    emit SetMaxSwap(_in, _amt);
}