SwapHandlerUniAutoRouter Manual Review Findings

SHA-01M: Arbitrary Payload Invocations

Type	Severity	Location
Logical Fault		SwapHandlerUniAutoRouter.sol:L36

Description:

The swapInternal function relays an arbitrary payload to the uniSwapRouter02 via the call instruction which should be considered unsafe depending on the functions exposed by the uniSwapRouter02 contract.

Example:

Copy
35function swapInternal(SwapParams memory params) private {
36    (bool success, bytes memory result) = uniSwapRouter02.call(params.payload);
37    if (!success) revertBytes(result);
38}

Recommendation:

We advise the swapInternal function to at least validate the params.payload signature and only allow a sub-set of function signatures of uniSwapRouter02 to be invoked. Alternatively, we advise the swapInternal to be refactored to not utilize a call instruction at all and to instead use explicit functions exposed by the uniSwapRouter02 contract by decoding the input arguments contained in params.payload.

Alleviation:

The Euler Finance team evaluated this exhibit and has stated that while arbitrary code execution can be dangerous, in a similar lieu to SHI-01M they believe that validation would incur additional gas costs especially in relation to the Uniswap V2 implementation that contains very strict code interactions and does not pose a threat if interacted via any of its publicly exposed methods. Given that Uniswap V2 call validation can be performed, however, we will address this exhibit as acknowledged.