086.md

Fast Khaki Raccoon

Medium

Tokens will be stuck in AutoCompoundingPodLp if the intermediary swap token is not a reward token

Summary

Tokens will be stuck in AutoCompoundingPodLp if the intermediary swap token is not a reward token

Root Cause

Upon swapping between tokens when processing rewards in AutoCompoundingPodLp, we call _swapV2() where we either go through a direct swap or a multi hop swap where we have this code:

if (maxSwap[_path[1]] > 0 && _intermediateBal > maxSwap[_path[1]]) {
                _intermediateBal = maxSwap[_path[1]];
}
IERC20(_path[1]).safeIncreaseAllowance(address(DEX_ADAPTER), _intermediateBal);
_amountOut = DEX_ADAPTER.swapV2Single(_path[1], _path[2], _intermediateBal, _amountOutMin, address(this));

We swap between the second and third token in the _path array. The issue is that if we have set a max swap for the in token and we cap that amount, then the rest of the tokens will be stuck in the contract forever if the token is not a reward token.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

1. We go through a swap such as X -> Y -> Z where X is a reward token and Z is the paired LP token we want to swap to, Y is an intermediate token for the swap as there is not a direct pool between X and Z
2. Y has a max swap amount of 100 tokens and it is not a reward token
3. We swap from X to Y and receive 150 Y tokens
4. We cap the Y tokens to swap at 100 and swap them for Z tokens
5. The 50 Y tokens are left stuck forever due to the cap, there is no way to take them out as it is not a reward token

Impact

Stuck funds

PoC

No response

Mitigation

If the intermediate token is not a reward token, increment a value for that tokens of the tokens that are over the cap and implement a rescue function for them