Special Ash Beetle
Medium
The contract incorrectly uses msg.value instead of the contract's accumulated POL balance when performing buyback operations, preventing the proper conversion of collected POL fees to TELCOIN
The AmirX.sol incorrectly processes POL (Polygon/MATIC) fees during buyback operations by using msg.value instead of the contract's actual POL balance. This prevents the contract from converting POL fees into TELCOIN as intended.
function _buyBack( ERC20 feeToken, address aggregator, address safe, bytes memory swapData ) internal { if (address(feeToken) == POL) { (bool polSwap, ) = aggregator.call{value: msg.value}(swapData); require(polSwap, "AmirX: POL swap transaction failed"); } }
https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/swap/AmirX.sol#L224
The bug occurs because the function uses msg.value for the swap amount instead of address(this).balance, which represnts the contract's actual POL balance
Assume a user wants to swap pol = 50 User balance:50 POL // 1. User performs a swap with 10% fee(assuming 10% fee) Transaction { from: user value: 50 POL fee: 5 POL (10%) } // 2. Result after swap AmirX balance: 5 POL (fee collected) (note: the balance of the contracts pol can be anythingthis issue will still occur){5 pol is just assuming contract had 0 pol before} User receives: xyz token according to there swap // 3. Buyback attempt buyBack() { // Uses msg.value instead of contract balance (5 POL) aggregator.call{value: 0}(swapData) } // 4. Final state AmirX balance: 5 POL TELCOIN received: 0
The buyback function must be triggered
1)POL must be specified as the fee token
No response
1)POL fees accumulate in contract without conversion 2) Protocol loses opportunity to acquire TELCOIN 3) The contract accumulates POL fees over time that need to be swapped
No response
No response