search

code-423n4 / 2021-10-tempus-findings

0 stars 0 forks source link

`exitTempusAMMAndRedeem` redeems to the wrong account #22

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

cmichel

Vulnerability details

In TempusController._exitTempusAMMAndRedeem (the first one), the inner _exitTempusAMMGivenAmountsOut call redeems LP tokens and sends the yield&principal shares to the msg.sender already. It then tries to redeem the received shares for backing tokens or yield-bearing tokens in _redeemToBacking/_redeemToYieldBearing.

However, as the shares have been sent to the msg.sender already instead of the controller itself, the redemption to backing/yield-bearing tokens will fail.

Impact

The exitTempusAMMAndRedeem function does not work correctly and will always revert.

Recommended Mitigation Steps

The _exitTempusAMMGivenAmountsOut call should use this as the recipient, not msg.sender.

mijovic commented 2 years ago

If you run the test you could see this is not true. There are tests that are doing the exact thing you explained. So, exit from AMM sends all tokens to msg.sender, same happens with the reminder of LP tokens.

0xean commented 2 years ago

tests demonstrate this to be false.