XDZIBEC
medium
XDZIBEC
meduim
Arbitrary Swap and Manipulation in USSDRebalancer Contract
The vulnerability in the USSDRebalancer contract lies in the BuyUSSDSellCollateral function.
The code lacks proper validation and checks, which can lead to unauthorized and arbitrary swapping of tokens as well as potential manipulation of the rebalancing process.
}
function BuyUSSDSellCollateral(uint256 amountToBuy) internal {
CollateralInfo[] memory collateral = IUSSD(USSD).collateralList();
//uint amountToBuyLeftUSD = amountToBuy * 1e12 * 1e6 / getOwnValuation();
uint amountToBuyLeftUSD = amountToBuy * 1e12;
uint DAItosell = 0;
// Sell collateral in order of collateral array
for (uint256 i = 0; i < collateral.length; i++) {
uint256 collateralval = IERC20Upgradeable(collateral[i].token).balanceOf(USSD) * 1e18 / (10**IERC20MetadataUpgradeable(collateral[i].token).decimals()) * collateral[i].oracle.getPriceUSD() / 1e18;
if (collateralval > amountToBuyLeftUSD) {
// sell a portion of collateral and exit
if (collateral[i].pathsell.length > 0) {
uint256 amountBefore = IERC20Upgradeable(baseAsset).balanceOf(USSD);
uint256 amountToSellUnits = IERC20Upgradeable(collateral[i].token).balanceOf(USSD) * ((amountToBuyLeftUSD * 1e18 / collateralval) / 1e18) / 1e18;
IUSSD(USSD).UniV3SwapInput(collateral[i].pathsell, amountToSellUnits);
amountToBuyLeftUSD -= (IERC20Upgradeable(baseAsset).balanceOf(USSD) - amountBefore);
DAItosell += (IERC20Upgradeable(baseAsset).balanceOf(USSD) - amountBefore);
} elseIn the BuyUSSDSellCollateral function, there is a loop that iterates over the collateral array. Inside the loop, the following code is executed:
IUSSD(USSD).UniV3SwapInput(collateral[i].pathsell, amountToSellUnits);The UniV3SwapInput function is called without performing proper validation or checks on the collateral[i].pathsell and amountToSellUnits parameters This lack of validation leading to exploits and to various types of attacks, such as integer overflow or underflow, unauthorized swaps, or manipulation of swap paths.
an attacker could provide malicious input to the UniV3SwapInput function, tricking the contract into performing unintended swaps or executing arbitrary code. This could result in the loss of funds or the manipulation of the rebalancing mechanism
and also there some issues:
- --Malicious Path: The
collateral[i].pathsellparameter represents the path for the swap, but there are no checks to ensure that the path is valid or safe. An attacker could provide a malicious or incorrect path, leading to unexpected behavior or loss of funds - --Manipulation of
amountToSellUnitsTheamountToSellUnitsparameter is used to determine the amount of collateral to sell. If this value can be manipulated by an attacker, it could result in an incorrect or excessive amount of collateral being sold, leading to loss of funds or an imbalance in the rebalancing mechanism. - --Lack of Error Handling: The code does not handle potential errors or exceptions that may occur during the swap. This omission could result in unexpected behavior or failure to handle critical conditions, leaving the contract vulnerable to exploits.
Manual Review
- Validate Input Parameters: Add appropriate input validation checks to ensure that the
amountToBuyparameter is within acceptable limits and does not exceed the available balance or cause unintended behavior. - Implement Access Control: Apply access control mechanisms to restrict the execution of the function to authorized users only. You can utilize
OpenZeppelin'sAccess Control or other similar libraries to manage role-based access control. - Enhance Error Handling: Implement proper error handling mechanisms to handle potential failures during token swaps. This includes checking for return values and handling exceptions or reverting the transaction if necessary.
- Implement Token Swapping Safeguards: Consider implementing safeguards to prevent arbitrary token swapping and protect against potential manipulation. For example, you can define specific conditions or thresholds that must be met before allowing the swapping of tokens