chaduke
high
sendWnt() allows a user to send amount of wrapped native tokens to a receiver. However, it does not check whether msg.value == amount, that is, there is no guarantee that the sender will send the specified amount of native tokens to the ExchangeRouter contract, which resulted in two impacts:
-
If there are already native tokens in
ExchangeRouter, a user can steal all those native tokens to his personal wallet address. -
If there are no native tokens in
ExchangeRouter, and a user sent more native tokens thanamount, then the remaining native tokens will be lost from the user. The transaction will only sendamountof wrapped tokens to the receiver.
The sendWnt() function allows a user to wrap the specified amount of native tokens into WNT then sends the WNT to the specified address.
It calls the TokenUtils.depositAndSendWrappedNativeToken() to achieve that.
However, these two functions do not check whether msg.value == amount.
As a result, a malicious user Bob can steal native tokens from the ExchangeRouter contract if there are any there by calling
sendWnt(Bob, ExchangeRouter's native token balance)
On the other hand, if Alice likes to send 1000 WNT to kathy, and she calls
sendWnt(Kathy, 1000)but sending 10000 native tokens for the transaction. The transaction will fail to detect that Alice sent too much native tokens to the contract. The transaction will send 1000 WNT to Kathy and kept the 9000 native tokens in the contract, subject to the attacker Bob described above.
A malicious user can steal WNT from ExchangeRouter while some other users might loss native tokens to ExchangeRouter .
See above
VSCode
Manual Review
We need to check whether msg.value == amount:
function sendWnt(address receiver, uint256 amount) external payable nonReentrant {
+ if(msg.value != amount) WntAmountNotMatching();
ReceiverUtils.validateReceiver(receiver);
TokenUtils.depositAndSendWrappedNativeToken(dataStore, receiver, amount);
}