ZeroTrust - The createExchange() process lacks the step of transferring reserve tokens to the reserve contract.

[sherlock-admin3]

ZeroTrust

Medium

The createExchange() process lacks the step of transferring reserve tokens to the reserve contract.

Summary

The createExchange() process lacks the step of transferring reserve tokens to the reserve contract.

Root Cause

https://github.com/sherlock-audit/2024-10-mento-update/blob/098b17fb32d294145a7f000d96917d13db8756cc/mento-core/contracts/goodDollar/BancorExchangeProvider.sol#L227

  function _createExchange(PoolExchange calldata _exchange) internal returns (bytes32 exchangeId) {
    PoolExchange memory exchange = _exchange;
    validateExchange(exchange);

    // slither-disable-next-line encode-packed-collision
    exchangeId = keccak256(
      abi.encodePacked(IERC20(exchange.reserveAsset).symbol(), IERC20(exchange.tokenAddress).symbol())
    );
    require(exchanges[exchangeId].reserveAsset == address(0), "Exchange already exists");

    uint256 reserveAssetDecimals = IERC20(exchange.reserveAsset).decimals();
    uint256 tokenDecimals = IERC20(exchange.tokenAddress).decimals();
    require(reserveAssetDecimals <= 18, "Reserve asset decimals must be <= 18");
    require(tokenDecimals <= 18, "Token decimals must be <= 18");

    tokenPrecisionMultipliers[exchange.reserveAsset] = 10 ** (18 - uint256(reserveAssetDecimals));
    tokenPrecisionMultipliers[exchange.tokenAddress] = 10 ** (18 - uint256(tokenDecimals));

    exchanges[exchangeId] = exchange;
    exchangeIds.push(exchangeId);
    emit ExchangeCreated(exchangeId, exchange.reserveAsset, exchange.tokenAddress);
  }

https://github.com/sherlock-audit/2024-10-mento-update/blob/098b17fb32d294145a7f000d96917d13db8756cc/mento-core/contracts/swap/Broker.sol#L84

  function addExchangeProvider(
    address exchangeProvider,
    address reserve
  ) public override(IBroker, IBrokerAdmin) onlyOwner returns (uint256 index) {
    require(!isExchangeProvider[exchangeProvider], "ExchangeProvider already exists in the list");
    require(exchangeProvider != address(0), "ExchangeProvider address can't be 0");
    require(reserve != address(0), "Reserve address can't be 0");
    exchangeProviders.push(exchangeProvider);
    isExchangeProvider[exchangeProvider] = true;
    exchangeReserve[exchangeProvider] = reserve;
    emit ExchangeProviderAdded(exchangeProvider);
    emit ReserveSet(exchangeProvider, reserve);
    index = exchangeProviders.length - 1;
  }

From the code, it can be seen that there is no transfer of reserve tokens during the creation of the Exchange or its addition to the Broker, resulting in the reserve token balance in the reserve contract being zero. Additionally, the specified reserve token parameter _exchange.reserveBalance in the creation process does not actually transfer this amount of tokens to the reserve contract.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

In the early stages of the Exchange, users can only purchase GoodDollar and cannot sell it.

PoC

No response

Mitigation

Transfer the amount of reserve tokens specified by _exchange.reserveBalance to the reserve contract.