In Magnetar there is the functionality to interact with the TapoiocaOptionBroker and TapiocaOptionLiquidityProvision to manage your options using MagnetarAction.TapToken.
The issue is that if you do this, for the calls ITapiocaOptionBroker.exerciseOption and ITapiocaOptionBroker.participate the resulting tokens that are rewarded/minted will be stuck in the Magnetar contract.
Consider adding the ability for the caller to declare a receiver in TapiocaOptionBroker::participate and exerciseOption. Similar to how it's done in TapiocaOptionLiquidityProvision::lock.
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/Magnetar.sol#L304-L305
Vulnerability details
Description
In
Magnetar
there is the functionality to interact with theTapoiocaOptionBroker
andTapiocaOptionLiquidityProvision
to manage your options usingMagnetarAction.TapToken
.The issue is that if you do this, for the calls
ITapiocaOptionBroker.exerciseOption
andITapiocaOptionBroker.participate
the resulting tokens that are rewarded/minted will be stuck in theMagnetar
contract.This is because
TapiocaOptionBroker.exerciseOption
:and
TapiocaOptionBroker::participate
:mints to
msg.sender
which when called fromMagnetar
will beMagnetar
.Impact
A user using
Magnetar
for participating or claiming rewards will have their tokens stuck inMagnetar
.Proof of Concept
Test in
tap-token/test/Magnetar.t.sol
:Full test setup can be found here.
Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding the ability for the caller to declare a receiver in
TapiocaOptionBroker::participate
andexerciseOption
. Similar to how it's done inTapiocaOptionLiquidityProvision::lock
.Assessed type
Token-Transfer