Sunny Coral Monkey - Rebasing Token Balance Corruption #737
Description
Sunny Coral Monkey
Medium
Rebasing Token Balance Corruption
Summary
The contracts use balance differences to determine the amount of tokens received, which can be affected by rebasing tokens.
Root Cause
Both DexSwap.sol and Router.sol compute the received amount of toToken by subtracting the balance before the swap from the balance after the swap.
DexSwap.sol: https://github.com/sherlock-audit/2025-07-debank/blob/main/swap-router-v1/src/aggregatorRouter/DexSwap.sol#L143-L150uint256 balanceBefore = IERC20(params.toToken).universalBalanceOf(address(this)); // ... swap happens ... uint256 receivedAmount = IERC20(params.toToken).universalBalanceOf(address(this)) - balanceBefore;
Router.sol: https://github.com/sherlock-audit/2025-07-debank/blob/main/swap-router-v1/src/router/Router.sol#L80-L87uint256 balanceBefore = IERC20(toToken).universalBalanceOf(address(this)); // ... swap happens ... uint256 receivedAmount = IERC20(toToken).universalBalanceOf(address(this)) - balanceBefore;
Break down:
- Uses absolute balance delta for received amount
- Rebasing tokens (e.g., AMPL, RAI) autonomously change balances
- Positive rebases inflate received amount, negative rebases cause underflow
The issue arises: If the token rebases during the swap, the balance change may not solely represent the swap output.
Rebasing tokens can cause the balance difference to be inaccurate.
Internal Pre-conditions
N/A
External Pre-conditions
N/A
Attack Path
- Uses balance delta for received amount
- No protection against autonomous balance changes
Impact
The balance difference to be inaccurate.
PoC
No response
Mitigation
No response