Bright Violet Crocodile
Medium
AmirX::_buyBack() does not specify exactly how much fees to pay which will lead to users paying too much/little
AmirX::_buyBack() swaps a certain amount of feeToken resulting from the previous (bool walletResult, ) = wallet.call{value: 0}(defi.walletData); call when feeToken is not Telcoin nor address(0).
If the swapData specifies a certain amount out of Telcoin, it may request too much or too little amount in of feeToken, either costing the user too much for the same Telcoin and sending the leftover to the safe or it reverts otherwise.
If the swapData specifies an amount in of feeToken the Telcoin fee is variable so there is no complete control on the amount of Telcoin paid as fee.
In AmirX:224, the fees paid can vary significantly for the same amount of defi swapped due to slippage.
None.
None.
- Swapper calls
AmirX:swap()with afeeTokenthat is not Telcoin.
The user under/overpays for the same amount of funds swapped.
function _buyBack(
ERC20 feeToken,
address aggregator,
address safe,
bytes memory swapData
) internal {
if (address(feeToken) == address(0)) return;
if (address(feeToken) == POL) {
(bool polSwap, ) = aggregator.call{value: msg.value}(swapData);
require(polSwap, "AmirX: POL swap transaction failed");
if (address(this).balance > 0) {
(bool success, ) = safe.call{value: address(this).balance}("");
require(success, "AmirX: POL send transaction failed");
}
} else {
// zero out approval
feeToken.forceApprove(aggregator, 0);
feeToken.safeIncreaseAllowance(
aggregator,
feeToken.balanceOf(address(this))
);
(bool ercSwap, ) = aggregator.call{value: 0}(swapData);
require(ercSwap, "AmirX: token swap transaction failed");
uint256 remainder = feeToken.balanceOf(address(this));
if (remainder > 0) feeToken.safeTransfer(safe, remainder);
}
}Specify an exact amount of fee to pay and revert if the resulting Telcoin is lower or send the exceeding Telcoin amount to the wallet.