Closed code423n4 closed 1 year ago
The required amount of token0
is provided to the caller msg.sender
in LendgineRouter.sol#L222 as the recipient
of the token swap.
Closing as invalid.
berndartmueller marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/LendgineRouter.sol#L228-L237
Vulnerability details
Impact
Detailed description of the impact of this finding. The
LendgineRouter.burn()
will always REVERT due to the callback function forgot to send the due token0 back. The callback function pairMintCallback() is supposed to send backamount0
amount oftoken0
back toLendgine
, but it forgot to do so, leading to an invariant check failure, and finally, the revert ofLendgineRouter.burn()
.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
We show why
LendgineRouter.burn()
will always REVERT: 1) Suppose Alice callsLendgineRouter.burn()
to take an option position and withdraw it fully intotoken1
.2)
LendgineRouter.burn()
will callLendgine.burn()
as follows:3)
Lendgine.burn()
will callLendgine.mint(liquidity, data);
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L1174)
Lendgine.mint(liquidity, data)
calls back theLendgineRouter.pairMintCallback()
, expecting it to send backamount0
oftoken0
andamount1
oftoken1
.4) However,
LendgineRouter.pairMintCallback()
only sends backtoken1
, and forgets to send anytoken0
back, even after swapping for requiredtoken0
.5) As a result,
Lendgine.mint(liquidity, data)
will fail the invariant check and revert. So willLendgineRouter.burn()
revert as well.Tools Used
Recommended Mitigation Steps
We need to send back the due
amount0
oftoken0
to its caller.