Angry_Mustache_Man - Absence of Approval causes DOS/Revertion at all times

[sherlock-admin]

Angry_Mustache_Man

high

Absence of Approval causes DOS/Revertion at all times

Summary

_performLiquidation function of LiquidationRow.sol is where the actual liquidation process happens and it involves a swapping of tokens using BaseAsyncSwapper.sol where "sell tokens" are swapped for "buy tokens". These "buy tokens" received by LiquidationRow.sol is further used to pay fees and for other purposes. But after the swapping , BaseAsyncSwapper.sol contract doesn't send back the "buy tokens" back to LiquidationRow.sol which it should, causing reverts at all times.

Vulnerability Detail

In _performLiquidation function of LiquidationRow.sol at :

        // the swapper checks that the amount received is greater or equal than the params.buyAmount
        uint256 amountReceived = IAsyncSwapper(asyncSwapper).swap(params);

swapping happens where "sell tokens" are swapped for "buy tokens". Now looking into BaseAsyncSwapper.sol contract (which is used for swapping) , we see :

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19-#L64

after swapping , the buy tokens are neither send back to nor any approval is given to LiquidationRow.sol .
In the next step after swapping in _performLiquidation function of LiquidationRow.sol , we can see that the function performs a transfer of "buy tokens"[transferring fees(which is in buy token) to feeReceiver ] , which will fail at almost all times causing DOS.

        if (feeReceiver != address(0) && feeBps > 0) {
            uint256 fee = calculateFee(amountReceived);
            emit FeesTransfered(feeReceiver, amountReceived, fee);

            // adjust the amount received after deducting the fee
            amountReceived -= fee;
            // transfer fee to the fee receiver
            IERC20(params.buyTokenAddress).safeTransfer(feeReceiver, fee);
        }

Impact

DOS/ Revertion at all times

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/LiquidationRow.sol#L251

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19-#L64

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/LiquidationRow.sol#L254-#L262

Tool used

Manual Review

Recommendation

Either do an approval and have the "buy tokens" pulled to LiquidationRow.sol or do a delegatecall to swap contract.

Duplicate of #205