Closed code423n4 closed 2 years ago
If you run the test you could see this is not true. There are tests that are doing the exact thing you explained.
So, exit from AMM sends all tokens to msg.sender
, same happens with the reminder of LP tokens.
tests demonstrate this to be false.
Handle
cmichel
Vulnerability details
In
TempusController._exitTempusAMMAndRedeem
(the first one), the inner_exitTempusAMMGivenAmountsOut
call redeems LP tokens and sends the yield&principal shares to themsg.sender
already. It then tries to redeem the received shares for backing tokens or yield-bearing tokens in_redeemToBacking
/_redeemToYieldBearing
.However, as the shares have been sent to the
msg.sender
already instead of the controller itself, the redemption to backing/yield-bearing tokens will fail.Impact
The
exitTempusAMMAndRedeem
function does not work correctly and will always revert.Recommended Mitigation Steps
The
_exitTempusAMMGivenAmountsOut
call should usethis
as the recipient, notmsg.sender
.