search

code-423n4 / 2024-02-spectra-findings

4 stars 2 forks source link

`beforeYtTransfer()` not used before yield transfer #126

Closed c4-bot-2 closed 8 months ago

c4-bot-2 commented 8 months ago

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L377-L391

Vulnerability details

Impact

Function beforeYtTransfer() is not called before yield transfer in claimYieldInIBT()

Proof of Concept

Function beforeYtTransfer() is not called in claimYieldInIBT().

File: PrincipalToken.sol

    function claimYieldInIBT(address _receiver) public override returns (uint256 yieldInIBT) {
        yieldInIBT = _claimYield();
        if (yieldInIBT != 0) {
            IERC20(ibt).safeTransfer(_receiver, yieldInIBT);
        }
    }

Function claimYieldInIBT() performs a transfer of yield: IERC20(ibt).safeTransfer(_receiver, yieldInIBT), however, it does not call beforeYtTransfer() which updates yield: updateYield(_from), updateYield(_to).

This means, the calling claimYieldInIBT() won't update the yield properly, since it does not call beforeYtTransfer().

Tools Used

Manual code review

Recommended Mitigation Steps

Make sure to call beforeYtTransfer() whenever yield is being transferred.

Assessed type

Other

c4-pre-sort commented 8 months ago

gzeon-c4 marked the issue as insufficient quality report

gzeon-c4 commented 8 months ago

invalid https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/YieldToken.sol#L75

c4-judge commented 8 months ago

JustDravee marked the issue as unsatisfactory: Invalid