Closed code423n4 closed 2 years ago
don't see the issue here? calculation of debt in the turbo pool is separate from the boost variables and will be up to date regardless
Have to agree with the sponsor here, save
is a function that is acting at the fuse level.
All invariants are respected, while the wardens opinion in terms of coding practices is respectable, I don't think there's a vulnerability here.
Additionally a lack of POC leads me to side with the sponsor.
For these reasons I believe non-critical to be the appropriate severity
Because this was downgraded am going to judge in the QA report #44
Lines of code
https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L96-L136
Vulnerability details
Severity: Medium Likelihood: High Status: {Not Submitted} Scope:
modules/TurboSavior.sol:save()
When a TurboSavior
save
function is executed, collateral factors are calculated without accounting for the accrued vault interest.The TurboSavior
save
function should firstslurp
the vault to accrue interest and update theTurboMaster
accounting, thenless
the debt repayment.This follows the canonical pattern in
TurboRouter
'sslurpAndLess
function:Recommendation: Slurp the safe at the beginning of the
save
function. Example below (on line 111).