Lack of Swap Path Configuration Permissions Leading to LP Hijacking

Summary: swapMaps can be arbitrarily set to malicious trading pairs, causing funds to be routed to the attacker's contract.

Detailed Description:

In the setSwapMap function (L470-473), the validity of the _pools parameter is not verified, allowing attackers to set malicious trading pairs to steal tokens.

Vulnerability: Swap Path Hijacking Vulnerability

Impact: Contract funds are transferred to the attacker's address via malicious trading pairs.

PoC:

// Attacker controls malicious trading pair address attackerPool = deployMaliciousPool(); AutoCompoundingPodLp.Pools memory maliciousPools = AutoCompoundingPodLp.Pools(attackerPool, address(0));

// Set malicious path and trigger transaction vm.prank(owner); autoCompoundingPodLp.setSwapMap(inputToken, outputToken, maliciousPools);

// User deposit is hijacked vm.prank(user); autoCompoundingPodLp.deposit(100 ether, user);

Code Snippet https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/AutoCompoundingPodLp.sol#L470-473

Recommendation:

Add permission verification to allow only trusted addresses to modify swapMaps

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

084.md

084.md

Lack of Swap Path Configuration Permissions Leading to LP Hijacking

Files

084.md

Latest commit

History

084.md

File metadata and controls

Lack of Swap Path Configuration Permissions Leading to LP Hijacking