🛣️Incorrect Swap Path

Book an audit with Zokyo

VaderRouter._swap performs wrong swap

Vulnerability Details

Description:

In the VaderRouter._swap function, a 3-path hop is designed to initially swap foreign assets into native assets, followed by swapping the acquired native assets back to different foreign assets. However, there's a mix-up in the argument positions for the pool.swap(nativeAmountIn, foreignAmountIn) call. Specifically, in the attempt to execute a pool0 foreign-to-native swap, the function mistakenly utilizes the foreign amount as if it were the native amount.

Code Snippet:

The following segment shows the erroneous call where nativeAmountIn = amountIn is used, but it should be set as foreignAmountIn (the second argument).

_swap(
    uint256 amountIn,
    address[] calldata path,
    address to
) private returns (uint256 amountOut) {
    if (path.length == 3) {
      // Incorrect swap attempt; uses foreign amount as native amount.
      return pool1.swap(0, pool0.swap(amountIn, 0, address(pool1)), to);
    }
}

For correction, the function call should be structured as follows:

return pool1.swap(pool0.swap(0, amountIn, address(pool1)), 0, to); // Corrected call

Impact:

Due to this confusion in argument placement, all 3-path swaps navigating through the VaderRouter would be unsuccessful. The error triggers when the requirement require(nativeAmountIn = amountIn <= nativeBalance - nativeReserve = 0) is evaluated since a foreign amount is provided where a native amount is expected, causing the transaction to fail.

Recommended Mitigation Steps:

1. Correct Function Call Arguments: Update the function call to accurately reflect the appropriate argument placement for native and foreign amounts. The corrected call should be:

   return pool1.swap(pool0.swap(0, amountIn, address(pool1)), 0, to);

   This adjustment ensures that the pool0.swap call receives the correct foreign amount input, preventing the aforementioned requirement check failure and allowing 3-path swaps to be executed successfully.