Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Direct WETH swap fails due to incompatibility with ZetaTokenConsumerUniV3 & ZetaTokenConsumerPancakeV3 #422

Open
c4-bot-4 opened this issue Dec 17, 2023 · 9 comments
Open

Direct WETH swap fails due to incompatibility with ZetaTokenConsumerUniV3 & ZetaTokenConsumerPancakeV3 #422

c4-bot-4 opened this issue Dec 17, 2023 · 9 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-09 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@c4-bot-4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L98-L122
https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/protocol-contracts/contracts/evm/tools/ZetaTokenConsumerUniV3.strategy.sol#L158-L182

Vulnerability details

Impact

User use the ZetaTokenConsumerUniV3.sol to get the zeta tokens. Either through ETH or through other ERC20 tokens.
One of the most important tokens in Defi today is the WETH token, all swaps in the codebase to/from ZETA are routed through the ZETA/WETH pool. However this contact, as well as the ZetaTokenConsumerPancakeV3 and the ZetaTokenConsumerTrident do not permit users to swap WETH directly to ZETA.
This is because of an oversight in the swap function that require the existence of a WETH/WETH pool.
As seen below, when the input/output token is WETH, the function will revert:

 function getZetaFromToken(
        address destinationAddress,
        uint256 minAmountOut,
        address inputToken,
        uint256 inputTokenAmount
    ) external override returns (uint256) {
        if (destinationAddress == address(0) || inputToken == address(0)) revert ZetaCommonErrors.InvalidAddress();
        if (inputTokenAmount == 0) revert InputCantBeZero();

        IERC20(inputToken).safeTransferFrom(msg.sender, address(this), inputTokenAmount);
        IERC20(inputToken).safeApprove(address(uniswapV3Router), inputTokenAmount);

        ISwapRouter.ExactInputParams memory params = ISwapRouter.ExactInputParams({
            deadline: block.timestamp + MAX_DEADLINE,
            path: abi.encodePacked(inputToken, tokenPoolFee, WETH9Address, zetaPoolFee, zetaToken),
            recipient: destinationAddress,
            amountIn: inputTokenAmount,
            amountOutMinimum: minAmountOut
        });

Proof of Concept

From the Pancake V3 factory and Uni V3 factory contracts, it is evident that pools cannot be created for a token with itself. Therefore users cannot swap WETH to WETH thereby breaking the path needed to swap WETH to Zeta or vice versa.
In the code base, the issue is present:

Tools Used

Manual Review

Recommended Mitigation Steps

Implement a check to see if the input/output token is WETH, if so, perform the swap directly between WETH and ZETA without a second swap.

Assessed type

Other
@c4-bot-4 c4-bot-4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 17, 2023
c4-bot-4 added a commit that referenced this issue Dec 17, 2023
@c4-bot-4
Josephdara_0xTiwa issue #422
a84af43
@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Dec 19, 2023
@c4-pre-sort
Copy link

DadeKuma marked the issue as insufficient quality report

@c4-judge
Copy link

c4-judge commented Jan 7, 2024

0xean marked the issue as unsatisfactory:
Insufficient quality

@c4-judge c4-judge closed this as completed Jan 7, 2024
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Jan 7, 2024
@DadeKuma
Copy link

This seems false:

This is because of an oversight in the swap function that require the existence of a WETH/WETH pool.

And the poc is insufficient as it's just a list of code references.

@Josephdara
Copy link

This is not false, all references stated in the POC section are lines of code in the codebase within scope that require a WETH/WETH pool.

When the Input token is WETH, it attempts to first swap to WETH, then to ZETA.
When the output token is WETH, it first swaps ZETA to WETH, then attempts swapping WETH to WETH.

This was explained above with all the points that this happened listed in the POC section .

As at the time of this submission, there was no requirement for a compulsory coded POC but this can be provided.

Still, I leave this to the judge. Thanks

@0xean
Copy link

0xean commented Jan 15, 2024

more evidence would certainly have been welcomed, but I do follow the wardens belief that this would cause an issue when attempting to call getZetaFromToken() and the input is WETH. Reaching out to sponsor for comment (@lumtis )

@c4-judge
Copy link

0xean removed the grade

@c4-judge c4-judge reopened this Jan 15, 2024
@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Jan 15, 2024
@c4-judge
Copy link

0xean marked the issue as satisfactory

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Jan 17, 2024
@c4-sponsor
Copy link

lumtis (sponsor) confirmed

@c4-judge
Copy link

0xean marked the issue as selected for report

@c4-judge c4-judge added the selected for report This submission will be included/highlighted in the audit report label Jan 18, 2024
@C4-Staff C4-Staff added the M-09 label Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working insufficient quality report This report is not of sufficient quality M-09 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@0xean @DadeKuma @Josephdara @c4-judge @c4-sponsor @c4-pre-sort @C4-Staff @c4-bot-4