The redeemToken function in IdleYieldSource uses redeemedShare instead of redeemAmount as the input parameter when calling redeemIdleToken of the Idle yield source. As a result, users could get fewer underlying tokens than they should.
Proof of Concept
When burning users' shares, it is correct to use redeemedShare (line 130). However, when redeeming underlying tokens from Idle Finance, redeemAmount should be used instead of redeemedShare (line 131). Usually, the tokenPriceWithFee() is greater than ONE_IDLE_TOKEN, and thus redeemedShare is less than redeemAmount, causing users to get fewer underlying tokens than expected.
Handle
shw
Vulnerability details
Impact
The
redeemToken
function inIdleYieldSource
usesredeemedShare
instead ofredeemAmount
as the input parameter when callingredeemIdleToken
of the Idle yield source. As a result, users could get fewer underlying tokens than they should.Proof of Concept
When burning users' shares, it is correct to use
redeemedShare
(line 130). However, when redeeming underlying tokens from Idle Finance,redeemAmount
should be used instead ofredeemedShare
(line 131). Usually, thetokenPriceWithFee()
is greater thanONE_IDLE_TOKEN
, and thusredeemedShare
is less thanredeemAmount
, causing users to get fewer underlying tokens than expected.Referenced code: IdleYieldSource.sol#L129-L131
Recommended Mitigation Steps
Change
redeemedShare
toredeemAmount
at line 131.