The redeemToken function in IdleYieldSource uses redeemedShare instead of redeemAmount as the input parameter when calling redeemIdleToken of the Idle yield source. As a result, users could get fewer underlying tokens than they should.
Proof of Concept
When burning users' shares, it is correct to use redeemedShare (line 130). However, when redeeming underlying tokens from Idle Finance, redeemAmount should be used instead of redeemedShare (line 131). Usually, the tokenPriceWithFee() is greater than ONE_IDLE_TOKEN, and thus redeemedShare is less than redeemAmount, causing users to get fewer underlying tokens than expected.
PierrickGT
commented
3 years ago
Handle
shw
Vulnerability details
Impact
The
redeemTokenfunction inIdleYieldSourceusesredeemedShareinstead ofredeemAmountas the input parameter when callingredeemIdleTokenof the Idle yield source. As a result, users could get fewer underlying tokens than they should.Proof of Concept
When burning users' shares, it is correct to use
redeemedShare(line 130). However, when redeeming underlying tokens from Idle Finance,redeemAmountshould be used instead ofredeemedShare(line 131). Usually, thetokenPriceWithFee()is greater thanONE_IDLE_TOKEN, and thusredeemedShareis less thanredeemAmount, causing users to get fewer underlying tokens than expected.Referenced code: IdleYieldSource.sol#L129-L131
Recommended Mitigation Steps
Change
redeemedSharetoredeemAmountat line 131.