Skip to content

Latest commit

 

History

History
36 lines (26 loc) · 1.9 KB

Anyone can steal all the funds that belong to `ReferralFeeReceiver`.md

File metadata and controls

36 lines (26 loc) · 1.9 KB

Anyone can steal all the funds that belong to ReferralFeeReceiver The ReferralFeeReceiver receives pool shares when users swap() tokens in the pool.

A ReferralFeeReceiver may be used with multiple pools and, therefore, be a lucrative target as it is holding pool shares.

Any token or ETH that belongs to the ReferralFeeReceiver is at risk and can be drained by any user by providing a custom mooniswap pool contract that references existing token holdings.

It should be noted that none of the functions in ReferralFeeReceiver verify that the user-provided mooniswap pool address was actually deployed by the linked MooniswapFactory.

Recommendation:

Enforce that the user-provided mooniswap contract was actually deployed by the linked factory.

Other contracts cannot be trusted. Consider implementing token sorting and de-duplication (tokenA!=tokenB) in the pool contract constructor as well.

Consider employing a reentrancy guard to safeguard the contract from reentrancy attacks. Improve testing.

The methods mentioned here are not covered at all.

Improve documentation and provide a specification that outlines how this contract is supposed to be used.


Slide Screenshot

117.jpg


Slide Text

  • ConsenSys Audit 1inch Finding 5.1
  • Access Control & Input/Data Validation
  • User-controlled Contract & Tokens
  • Specify & Document & Validate

References


Tags