[WP-M3] `TurboRouter.sol#createSafeAndDeposit*()` CreateSafeAndDeposit combo methods won't work as an allowance cannot be granted to a newly created Safe for deposit #56
The TurboRouter.sol#deposit() function can be used in a multicall() together with approve() and pullToken() from PeripheryPayments to pull tokens from msg.sender and grant allowance for the ERC4626 Safe to call asset.safeTransferFrom() with the msg.sender being the router's address.
However, that would not work for createSafeAndDeposit() and createSafeAndDepositAndBoost(), because a newly created Safe address can only be known at runtime.
Lines of code
https://github.com/fei-protocol/tribe-turbo/blob/5e1c5d9b49dc557c84f07afabbba2ba4e08e9cc6/src/TurboRouter.sol#L49-L72
Vulnerability details
The
TurboRouter.sol#deposit()
function can be used in amulticall()
together withapprove()
andpullToken()
fromPeripheryPayments
to pull tokens frommsg.sender
and grant allowance for theERC4626 Safe
to callasset.safeTransferFrom()
with themsg.sender
being the router's address.However, that would not work for
createSafeAndDeposit()
andcreateSafeAndDepositAndBoost()
, because a newly created Safe address can only be known at runtime.https://github.com/fei-protocol/tribe-turbo/blob/5e1c5d9b49dc557c84f07afabbba2ba4e08e9cc6/src/TurboRouter.sol#L49-L72
Recommendation
Change to: