The mintBBLendSGLLockTOLP function of the MagnetarAssetModule attempts to lend to Singularity and then lock the received Singularity liquidity tokens into the TapiocaOptionLiquidityProvision contract.
uint256 fraction = _depositYBLendSGL(
data.depositData, data.externalContracts.singularity, yieldBox_, data.user, data.lendAmount
);
// if `lockData.lock`:
// - transfer `fraction` from data.user to `address(this)
// - deposits `fraction` to YB for `address(this)`
// - performs tOLP.lock
uint256 tOLPTokenId = _lockOnTOB(
data.lockData,
yieldBox_,
fraction,
data.participateData.participate,
data.user,
data.externalContracts.singularity
);
The TapiocaOptionLiquidityProvision.lock() function attempts to acquire YieldBox's shares of the original Singularity tokens. _lockOnTOB will retrieve the received Singularity tokens from the user to deposit into YieldBox before locking into TapiocaOptionLiquidityProvision.
However, on some specific chains, YieldBox uses the tOFT-wrapped version of Singularity liquidity tokens for SingularityAssetId. This means that after lending into SGL, the user needs to wrap the received Singularity tokens into the tOFT version of Singularity, then deposit them into YieldBox to obtain shares of SingularityAssetId. This information was provided by the sponsor, indicating that YieldBox uses the tOFT version of SGL tokens on chains except Arbitrum.
Therefore, in that case, the mintBBLendSGLLockTOLP() function needs to have an option to wrap Singularity tokens before executing _lockOnTOB.
Impact
The mintBBLendSGLLockTOLP() function of Magnetar will be broken on some chains due to the difference in handling Singularity tokens.
Tools Used
Manual review
Recommended Mitigation Steps
mintBBLendSGLLockTOLP() function should have an option to wrap Singularity tokens before executing _lockOnTOB
Lines of code
https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarMintModule.sol#L69-L84
Vulnerability details
Description
The
mintBBLendSGLLockTOLP
function of the MagnetarAssetModule attempts to lend to Singularity and then lock the received Singularity liquidity tokens into the TapiocaOptionLiquidityProvision contract.The
TapiocaOptionLiquidityProvision.lock()
function attempts to acquire YieldBox's shares of the original Singularity tokens._lockOnTOB
will retrieve the received Singularity tokens from the user to deposit into YieldBox before locking into TapiocaOptionLiquidityProvision.However, on some specific chains, YieldBox uses the tOFT-wrapped version of Singularity liquidity tokens for SingularityAssetId. This means that after lending into SGL, the user needs to wrap the received Singularity tokens into the tOFT version of Singularity, then deposit them into YieldBox to obtain shares of SingularityAssetId. This information was provided by the sponsor, indicating that YieldBox uses the tOFT version of SGL tokens on chains except Arbitrum.
Therefore, in that case, the
mintBBLendSGLLockTOLP()
function needs to have an option to wrap Singularity tokens before executing_lockOnTOB
.Impact
The
mintBBLendSGLLockTOLP()
function of Magnetar will be broken on some chains due to the difference in handling Singularity tokens.Tools Used
Manual review
Recommended Mitigation Steps
mintBBLendSGLLockTOLP()
function should have an option to wrap Singularity tokens before executing_lockOnTOB
Assessed type
Context