roguereddwarf - SwapHandler.sol: Check that collateral token cannot be swapped is insufficient for tokens with multiple addresses #31
Comments
Sierraescape
added
Sponsor Confirmed
|
Tokens with multiple addresses are pretty rare, so we're just going to note that the vault doesn't allow such tokens as collateral, and create wrappers for them if necessary. https://github.com/protokol/taurus-contracts/pull/120 |
|
Escalate for 10 USDC Token with different addresses is very very rare. Almost every protocols in Defi operating on assumption of token with single address. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
Escalate for 10 USDC Disagree with previous escalation. |
You've created a valid escalation for 10 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
|
Escalation accepted Considering this a valid medium. Note: Going forward, Sherlock team will add additional clarity on such rare token cases in the README. |
This issue's escalations have been accepted! Contestants' payouts and scores will be updated according to the changes made on this issue. |
sherlock-admin
added
Escalation Resolved
Fixed here |
|
No direct fix has been implemented but a note has been added explicitly stating that multi-address tokens are not supported |
|
Classifying this issue as "Acknowledged" since no direct fix was made. |
jacksanford1
added
Won't Fix
roguereddwarf
medium
SwapHandler.sol: Check that collateral token cannot be swapped is insufficient for tokens with multiple addresses
Summary
According to the contest page
any non-rebasingERC20 token is supposed to be supported.The
SwapHandler.swapForTaufunction checks that thecollateralTokencannot be sent to theSwapAdapterfor trading:https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L54-L56
Vulnerability Detail
There exist however ERC20 tokens that have more than one address. In case of such a token, the above check is not sufficient. The token could be swapped anyway by using a different address.
Impact
The check that collateral cannot be swapped can be bypassed for tokens with multiple addresses.
Code Snippet
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/Vault/SwapHandler.sol#L45-L101
Tool used
Manual Review
Recommendation
Compare the balance of the collateral before and after sending tokens to the SwapAdapter and make sure it hasn't changed. Or implement a whitelist for tokens that can be swapped.
The text was updated successfully, but these errors were encountered: