Closed code423n4 closed 2 years ago
The described behaviour is the inteded one. I agree that the function comment is inaccurate and needs to be extended to mention the possibility of redeeming to underlying.
Seems more like a QA issue to me as it only affects documentation
Consider with #164
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L210 https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L385
Vulnerability details
Proof-of-Concept
Per the comment of
redeemMaturedPosition
function, it states that matured fCash positions will be redeemed for their asset token (cToken). Refer to the second line of the developer comment.https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L210
However, this statement is not entirely true as it is possible for the manager to configure the
redeemToUnderlying
array to force the matured fCash position to be redeemed for their underlying token (e.g. DAI, USDC). Thebool toUnderlying = redeemToUnderlying[_setToken];
code will force the redemption to be done in asset tokens or underlying tokens depending on Manager's prior configuration.https://github.com/code-423n4/2022-06-notional-coop/blob/6f8c325f604e2576e2fe257b6b57892ca181509a/index-coop-notional-trade-module/contracts/protocol/modules/v1/NotionalTradeModule.sol#L385
There is a major difference between redeeming to asset token (cToken)(e.g. cDAI) and underlying token (e.g. DAI). The asset token (cToken) will continue to passively accrue cToken lending rate, while the underlying token (e.g. DAI) does not. Thus, having cToken in the SetToken would indirectly increase the valuation of a SetToken compared to having underlying token.
Thus, the
redeemMaturedPositions
need to be clear (in implemention or comment) whether the matured positions will only be redeemed for asset token OR the matured position might be redeemed for asset or underlying token depending on the Manager's decision.Otherwise, investors might make certain investment decision based on the wrong information given to them and causing them to loss fund in the worst case scenario. This creates unnecessary complication for the users and protocol.
Recommended Mitigation Steps
If the
redeemMaturedPositions
function intention was to redeem all fCash positions that have reached maturity for their asset token (cToken) only, update the relevant functions to ensure that it is not possible for theredeemMaturedPositions
function to redeem to underlying tokens.Otherwise, update the comment of the
redeemMaturedPositions
function to as follows so that it is aligned with the actual implementation: