The function _lockOnTOB is used to deposit SGL liquidity tokens into the yieldbox and then use them to create a lock position. The issue is that the function does not give approval to the yieldbox to use its tokens, which will lead to an insufficient allowance based revert.
The function first takes out tokens from the user with the _extractTokens function, and then tries to send them off to the yieldbox to deposit them.
The issue is that the contract never gave approval to the yieldbox to use these tokens. So the yieldbox does not have permission to move out these tokens from the contract, and thus this function will always fail.
Proof of Concept
The lack of approval can be seen in the code itself. We can see the correct pattern being used in the other function _depositYBLendSGL, where the approval is first given out.
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarMintCommonModule.sol#L116-L117
Vulnerability details
Impact
The function
_lockOnTOB
is used to deposit SGL liquidity tokens into the yieldbox and then use them to create a lock position. The issue is that the function does not give approval to the yieldbox to use its tokens, which will lead to an insufficient allowance based revert.The function first takes out tokens from the user with the
_extractTokens
function, and then tries to send them off to the yieldbox to deposit them.The issue is that the contract never gave approval to the yieldbox to use these tokens. So the yieldbox does not have permission to move out these tokens from the contract, and thus this function will always fail.
Proof of Concept
The lack of approval can be seen in the code itself. We can see the correct pattern being used in the other function
_depositYBLendSGL
, where the approval is first given out.The
safeApprove
call is missing in the_lockOnTOB
function, and thus the function will always fail.Tools Used
Manual Review
Recommended Mitigation Steps
Hand out the approval by using a
safeApprove
call like done in the other functions.Assessed type
Invalid Validation