From 37efe52c10ea9028f735c3cfc15af0bc9c57a745 Mon Sep 17 00:00:00 2001 From: TAMARA LIPOWSKI Date: Mon, 10 Feb 2025 23:49:01 -0500 Subject: [PATCH] fix: (TychoRouter) Revert if empty swaps - This is for security purposes. Max uncovered a vulnerability where funds could be stolen if we don't ether the while loop (i.e. if we have empty swaps). --- foundry/src/TychoRouter.sol | 5 +++++ foundry/test/TychoRouter.t.sol | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/foundry/src/TychoRouter.sol b/foundry/src/TychoRouter.sol index b15bdfa..4b8aa1f 100644 --- a/foundry/src/TychoRouter.sol +++ b/foundry/src/TychoRouter.sol @@ -17,6 +17,7 @@ import {LibSwap} from "../lib/LibSwap.sol"; error TychoRouter__WithdrawalFailed(); error TychoRouter__AddressZero(); +error TychoRouter__EmptySwaps(); error TychoRouter__NegativeSlippage(uint256 amount, uint256 minAmount); error TychoRouter__AmountInNotFullySpent(uint256 leftoverAmount); error TychoRouter__MessageValueMismatch(uint256 value, uint256 amount); @@ -191,6 +192,10 @@ contract TychoRouter is internal returns (uint256) { + if (swaps_.length == 0) { + revert TychoRouter__EmptySwaps(); + } + uint256 currentAmountIn; uint256 currentAmountOut; uint8 tokenInIndex = 0; diff --git a/foundry/test/TychoRouter.t.sol b/foundry/test/TychoRouter.t.sol index 5b5ad79..489d366 100644 --- a/foundry/test/TychoRouter.t.sol +++ b/foundry/test/TychoRouter.t.sol @@ -672,6 +672,13 @@ contract TychoRouterTest is TychoRouterTestSetup { assertGe(finalBalance, expAmountOut); } + function testEmptySwapsRevert() public { + uint256 amountIn = 10 ** 18; + bytes memory swaps = ""; + vm.expectRevert(TychoRouter__EmptySwaps.selector); + tychoRouter.exposedSwap(amountIn, 2, swaps); + } + function testSingleSwapIntegration() public { // Test created with calldata from our router encoder, replacing the executor // address with the USV2 executor address.