Open code423n4 opened 3 years ago
I agree that we should compute balanceDiff
on the underlying balance.
Regarding the burn of the user's shares, we should keep it as is to verify first that the user has enough shares. This way if he doesn't, the code execution will revert before funds are withdrawn from Aave.
Handle
cmichel
Vulnerability details
The
ATokenYieldSource.redeemToken
function burnsaTokens
and sends out underlying, however, it's used in a reverse way in the code: ThebalanceDiff
is used as thedepositToken
that is transferred out but it's computed on the aTokens that were burned instead of on thedepositToken
received.Impact
It should not directly lead to issues as aTokens are 1-to-1 with their underlying but we still recommend doing it correctly to make the code more robust against any possible rounding issues.
Recommended Mitigation Steps
Compute
balanceDiff
on the underyling balance (depositToken), not on the aToken. Subtract the actual burned aTokens from the user shares.