[M-00] Slurp Miss on Turbo Savior Save

[code423n4]

Lines of code

https://github.com/code-423n4/2022-02-tribe-turbo/blob/main/src/modules/TurboSavior.sol#L96-L136

Vulnerability details

Severity: Medium Likelihood: High Status: {Not Submitted} Scope: modules/TurboSavior.sol:save()

When a TurboSavior save function is executed, collateral factors are calculated without accounting for the accrued vault interest.

The TurboSavior save function should first slurp the vault to accrue interest and update the TurboMaster accounting, then less the debt repayment.

This follows the canonical pattern in TurboRouter's slurpAndLess function:

Recommendation: Slurp the safe at the beginning of the save function. Example below (on line 111).

[transmissions11]

don't see the issue here? calculation of debt in the turbo pool is separate from the boost variables and will be up to date regardless

[GalloDaSballo]

Have to agree with the sponsor here, save is a function that is acting at the fuse level.

All invariants are respected, while the wardens opinion in terms of coding practices is respectable, I don't think there's a vulnerability here.

Additionally a lack of POC leads me to side with the sponsor.

For these reasons I believe non-critical to be the appropriate severity

[GalloDaSballo]

Because this was downgraded am going to judge in the QA report #44