-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 6 #6
Comments
I'v add "Router WhiteList" for permission check, please help to check if it can resolve the problem. Thanks! |
Ralated Changes: flamingo-contract-swap/Swap/flamingo-contract-swap/FlamingoSwapPair/FlamingoSwapPairContract.Nep5.cs Line 77 in 90bdb87
flamingo-contract-swap/Swap/flamingo-contract-swap/FlamingoSwapPair/FlamingoSwapPairContract.cs Line 162 in 90bdb87
flamingo-contract-swap/Swap/flamingo-contract-swap/FlamingoSwapPair/FlamingoSwapPairContract.cs Line 225 in 90bdb87
flamingo-contract-swap/Swap/flamingo-contract-swap/FlamingoSwapPair/FlamingoSwapPairContract.cs Line 273 in 90bdb87
|
I think these should do, LGTM |
Description
The
FlamingoSwapPairContract
contract implements many functionalities for token-swap-pair. These interfaces will be called byFlamingoSwapRouterContract
in many different scenarios.For example. a user can claim his bonus after providing liquidity for a token-swap-pair by
RemoveLiquidity
function ofFlamingoSwapRouterContract
. It will first do some sanity checks, then transfer the liquidity token to theFlamingoSwapPairContract
and callsBurn
to remove the liquidity token and retrieve the tokens back and send them back to the user.However,
Burn
is publicly avaiable, so an attacker can burn the liquidity token if someone mistakenly transfer it to theFlamingoSwapPairContract
contract. There is a medium article byDan Robinson
thoroughly explains the concept and exploitation.The same issue also applies to
Mint
andSwap
.Recommendation
Add permission checks for these functions.
The text was updated successfully, but these errors were encountered: