Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SingleTokenJoinV2 doesn't take input deadline to consideration #170

Closed
code423n4 opened this issue Dec 19, 2021 · 2 comments
Closed

SingleTokenJoinV2 doesn't take input deadline to consideration #170

code423n4 opened this issue Dec 19, 2021 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right

Comments

@code423n4
Copy link
Contributor

Handle

kenzo

Vulnerability details

SingleNativeTokenExitV2 takes as input from the user a deadline for the trades.
However, it does not use this input for the actual trade but sets the deadline to be block.timestamp.

Impact

Trades will not work as expected. User might set a deadline for the trade but his trade will get executed regardless.

Duplicate issue?

This issue is present in a few contracts in the repo - SingleNativeTokenExitV2, SingleTokenJoinV2.
If I submit both in one issue, but the judge will decide to reward them separately, he would not be able to do so for me as I submitted them all in one issue.
So this is why I am submitting them in separate issues.
If it is will be rewarded only as one issue, the judge will close the duplicate. Thank you.

Proof of Concept

We can see the input struct has deadline as a parameter, however, _joinTokenSingle passes as deadline block.timestamp, and not the input deadline.

Recommended Mitigation Steps

Send to the router _joinTokenStruct.deadline instead of block.timestamp. (Code ref)

@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 19, 2021
code423n4 added a commit that referenced this issue Dec 19, 2021
@loki-sama
Copy link
Collaborator

duplicate #112

@loki-sama loki-sama added the duplicate This issue or pull request already exists label Dec 29, 2021
@ghost ghost closed this as completed Jan 10, 2022
@0xleastwood
Copy link
Collaborator

This issue and #169 both fall under the issue outlined in #47 so I'll mark this as invalid to avoid a duplicate submission from the same warden.

@0xleastwood 0xleastwood added invalid This doesn't seem right and removed duplicate This issue or pull request already exists labels Jan 22, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working invalid This doesn't seem right
Projects
None yet
Development

No branches or pull requests

3 participants