Add exchange remark #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

paszkowskiDamian wants to merge 3 commits into develop from dp/add-exchange-remark

README.md

-Original file line number
+Diff line change
@@ Expand Up @@
     `npm run test [network] [test-file]` - run a test to the specified network by calling the script from the `/test` folder
     `npm run verify [network] [contract-name]` - verify contract based on address and arguments from `/deployments` folder
+    ## Remarks
+    - `Exchange.sol` in the `_swap` function we are calling low level function `call` with arbitrary address and call data, which may impose some security threats, however by design the `Exchange` contract does not hold any founds and is used only as proxy to Exchange (1inch) and collecting fees. Thus calling `call` in our case is safe and does not expose us or our users to theft of funds.

contracts/multiply/Exchange.sol

-Original file line number
+Diff line change
@@ Expand Up / @@ -85,6 +85,8 @@ contract Exchange { @@
         bytes calldata withData
       ) internal returns (uint256) {
         IERC20(fromAsset).safeApprove(callee, amount);
+        // In general we shouldn't call arbitrary address with arbitrary data. This would be a security risk,
+        // However in this case by design the Exchange contract does not hold any funds, so there is nothing to be stolen.
         (bool success, ) = callee.call(withData);
         require(success, "Exchange / Could not swap");
         uint256 balance = IERC20(toAsset).balanceOf(address(this));
@@ Expand Down @@

Provide feedback