Missing unwrap configuration when withdrawing cross-chain in the `depositYBLendSGLLockXchainTOLP()` function of MagnetarAssetXChainModule results in being unable to lock and participate on the destination chain #180
The depositYBLendSGLLockXchainTOLP() function attempts to lend into Singularity, then withdraws the Singularity tokens cross-chain to lock and participate on the destination chain. The Singularity tokens are wrapped as TOFT tokens to facilitate cross-chain transfer.
uint256 fraction =
_depositYBLendSGL(data.depositData, data.singularity, IYieldBox(yieldBox), data.user, data.lendAmount);
// wrap SGL receipt into tReceipt
// ! User should approve `address(this)` for `IERC20(data.singularity)` !
uint256 toftAmount = _wrapSglReceipt(IYieldBox(yieldBox), data.singularity, data.user, fraction, data.assetId);
This function calls _withdrawToChain() with the unwrap parameter set to false, indicating that TOFT-wrapped Singularity tokens will not be unwrapped upon receipt on the destination chain.
However, the TapiocaOptionLiquidityProvision.lock() function attempts to acquire YieldBox's shares of the original Singularity tokens. Therefore, upon receiving wrapped Singularity tokens on the destination chain, it should unwrap these tokens to facilitate the execution of subsequent actions.
Impact
depositYBLendSGLLockXchainTOLP() will fail to execute the locking process after receiving wrapped Singularity tokens cross-chain.
Tools Used
Manual review
Recommended Mitigation Steps
depositYBLendSGLLockXchainTOLP() should call _withdrawToChain() with unwrap set to true.
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarAssetXChainModule.sol#L104
Vulnerability details
Description
The
depositYBLendSGLLockXchainTOLP()
function attempts to lend into Singularity, then withdraws the Singularity tokens cross-chain to lock and participate on the destination chain. The Singularity tokens are wrapped as TOFT tokens to facilitate cross-chain transfer.This function calls
_withdrawToChain()
with theunwrap
parameter set to false, indicating that TOFT-wrapped Singularity tokens will not be unwrapped upon receipt on the destination chain.However, the
TapiocaOptionLiquidityProvision.lock()
function attempts to acquire YieldBox's shares of the original Singularity tokens. Therefore, upon receiving wrapped Singularity tokens on the destination chain, it should unwrap these tokens to facilitate the execution of subsequent actions.Impact
depositYBLendSGLLockXchainTOLP()
will fail to execute the locking process after receiving wrapped Singularity tokens cross-chain.Tools Used
Manual review
Recommended Mitigation Steps
depositYBLendSGLLockXchainTOLP()
should call_withdrawToChain()
withunwrap
set to true.Assessed type
Context