search

code-423n4 / 2024-02-tapioca-findings

1 stars 1 forks source link

Missing unwrap configuration when withdrawing cross-chain in the `depositYBLendSGLLockXchainTOLP()` function of MagnetarAssetXChainModule results in being unable to lock and participate on the destination chain #180

Open c4-bot-9 opened 6 months ago

c4-bot-9 commented 6 months ago

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarAssetXChainModule.sol#L104

Vulnerability details

Description

The depositYBLendSGLLockXchainTOLP() function attempts to lend into Singularity, then withdraws the Singularity tokens cross-chain to lock and participate on the destination chain. The Singularity tokens are wrapped as TOFT tokens to facilitate cross-chain transfer. 

uint256 fraction =
    _depositYBLendSGL(data.depositData, data.singularity, IYieldBox(yieldBox), data.user, data.lendAmount);

// wrap SGL receipt into tReceipt
// ! User should approve `address(this)` for `IERC20(data.singularity)` !
uint256 toftAmount = _wrapSglReceipt(IYieldBox(yieldBox), data.singularity, data.user, fraction, data.assetId);

This function calls _withdrawToChain() with the unwrap parameter set to false, indicating that TOFT-wrapped Singularity tokens will not be unwrapped upon receipt on the destination chain.

_withdrawToChain(
    MagnetarWithdrawData({
        yieldBox: yieldBox,
        assetId: data.assetId,
        unwrap: false,
        lzSendParams: data.lockAndParticipateSendParams.lzParams,
        sendGas: data.lockAndParticipateSendParams.lzSendGas,
        composeGas: data.lockAndParticipateSendParams.lzComposeGas,
        sendVal: data.lockAndParticipateSendParams.lzSendVal,
        composeVal: data.lockAndParticipateSendParams.lzComposeVal,
        composeMsg: data.lockAndParticipateSendParams.lzParams.sendParam.composeMsg,
        composeMsgType: data.lockAndParticipateSendParams.lzComposeMsgType,
        withdraw: true
    })
);

However, the TapiocaOptionLiquidityProvision.lock() function attempts to acquire YieldBox's shares of the original Singularity tokens. Therefore, upon receiving wrapped Singularity tokens on the destination chain, it should unwrap these tokens to facilitate the execution of subsequent actions.

Impact

depositYBLendSGLLockXchainTOLP() will fail to execute the locking process after receiving wrapped Singularity tokens cross-chain.

Tools Used

Manual review

Recommended Mitigation Steps

depositYBLendSGLLockXchainTOLP() should call _withdrawToChain() with unwrap set to true.

Assessed type

Context

c4-sponsor commented 6 months ago

cryptotechmaker (sponsor) confirmed

c4-judge commented 6 months ago

dmvt marked the issue as primary issue

cryptotechmaker commented 6 months ago

Fixed by https://github.com/Tapioca-DAO/tapioca-periph/pull/204

c4-judge commented 6 months ago

dmvt marked the issue as duplicate of #26

c4-judge commented 6 months ago

dmvt marked the issue as satisfactory

c4-judge commented 6 months ago

dmvt marked the issue as selected for report