Incorrect POL amount is passed to aggregator

Summary

In AmirX::_buyBack() incorrect POL amount is passed to aggregator as msg.value.

Root Cause

The root cause of the issue is in AmirX::_buyBack() msg.value of swap() is used as payer source when feeToken is POL.

if (address(feeToken) == POL) {
            (bool polSwap, ) = aggregator.call{value: msg.value}(swapData);

But it should use the balance of the AmirX as payer source i.e instead of msg.value it should use address(this).balance.

Internal pre-conditions

None.

External pre-conditions

None.

Attack Path

None.

Impact

Incorrect POL amount will be sent to aggregator which result miscalculation in aggregator.

PoC

https://github.com/sherlock-audit/2024-11-telcoin/blob/b9c751b59e78a7123a636e31ecafc9147046f190/telcoin-audit/contracts/swap/AmirX.sol#L231-L232

Mitigation

... codes
if (address(feeToken) == POL) {
-            (bool polSwap, ) = aggregator.call{value: msg.value}(swapData);
+            (bool polSwap, ) = aggregator.call{value: address(this).balance}(swapData);
... codes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

063.md

063.md

Incorrect POL amount is passed to aggregator

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

063.md

Latest commit

History

063.md

File metadata and controls

Incorrect POL amount is passed to aggregator

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation