You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If duplicate input tokens are used in GeneralConverter then the function Convert will go wrong.
Suppose tokens[0]==tokens[1] and tokens.length==2;
Suppose you call Convert(tokens[0],tokenCRV,100,...)
Then in the first pass of the for loop:
_input == tokens[0] ==> amounts[0]=100 ==> add_liquidity( amounts[]={100,0} )
In the second pass of the for loop:
_input == tokens[1] ==> amounts[1]=100 ==> add_liquidity( amounts[]={100,100} )
So add_liquidity is called twice.
As similar issue occurs when converting from tokenCRV:
Then "tokens[i].safeTransfer(msg.sender, _outputAmount);" will be called multiple times.
Vulnerability details
If duplicate input tokens are used in GeneralConverter then the function Convert will go wrong.
Suppose tokens[0]==tokens[1] and tokens.length==2;
Suppose you call Convert(tokens[0],tokenCRV,100,...)
Then in the first pass of the for loop:
_input == tokens[0] ==> amounts[0]=100 ==> add_liquidity( amounts[]={100,0} )
In the second pass of the for loop:
_input == tokens[1] ==> amounts[1]=100 ==> add_liquidity( amounts[]={100,100} )
So add_liquidity is called twice.
As similar issue occurs when converting from tokenCRV:
Then "tokens[i].safeTransfer(msg.sender, _outputAmount);" will be called multiple times.
Proof of concept
metavault/contracts/v3/converters/GeneralConverter.sol
Lines 101 to 128 in 014fd27
Recommended mitigation steps
Check all input token addresses are different in the constructor of GeneralConverter.
You could use "indices[address(_tokens[i])]" for this, but then you have to add 1 to all these values to make sure 0 is never used.
The text was updated successfully, but these errors were encountered: