search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

ctf_sec - function autoRedeem should check the principle token allowance instead of the underlying token allowance in Redeemer.sol #144

Closed sherlock-admin closed 2 years ago

sherlock-admin commented 2 years ago

ctf_sec

high

function autoRedeem should check the principle token allowance instead of the underlying token allowance in Redeemer.sol

Summary

function autoRedeem should check the principle token allowance instead of the underlying token in Redeemer.sol

Vulnerability Detail

The autoRedeem function in Redeemer is implemented below.

// Retrieve the underlying
IERC20 uToken = IERC20(u);

// Sum up the fees received by the caller
uint256 incentiveFee;

// Get the number of owners to loop through
uint256 length = f.length;

// Loop through the provided arrays and mature each individual position
for (uint256 i; i != length; ) {
    // Fetch the allowance set by the holder of the principal tokens
    uint256 allowance = uToken.allowance(f[i], address(this));

    // Get the amount of tokens held by the owner
    uint256 amount = pt.balanceOf(f[i]);

    // Calculate how many tokens the user should receive
    uint256 redeemed = (amount * holdings[u][m]) / pt.totalSupply();

    // Calculate the fees to be received (currently .025%)
    uint256 fee = redeemed / feenominator;

    // Verify allowance
    if (allowance < amount) {
        revert Exception(20, allowance, amount, address(0), address(0));
    }

    // Burn the tokens from the user
    pt.authBurn(f[i], amount);

Our focus is on three lines of code:

first:

// Retrieve the underlying
IERC20 uToken = IERC20(u);

second:

// Fetch the allowance set by the holder of the principal tokens
uint256 allowance = uToken.allowance(f[i], address(this));

Third:

// Burn the tokens from the user
pt.authBurn(f[i], amount);

We want to burn the principle token from user but we are checking the allowance for underlying token.

Impact

We want to burn the principle token from user but we are checking the allowance for underlying token. Clearly the pt.burn may revert in insufficient allowance error.

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L498-L543

Tool used

Manual Review

Recommendation

Chaneg from 

// Fetch the allowance set by the holder of the principal tokens
uint256 allowance = uToken.allowance(f[i], address(this));

to

// Fetch the allowance set by the holder of the principal tokens
uint256 allowance = pt.allowance(f[i], address(this));

Duplicate of https://github.com/sherlock-audit/2022-10-illuminate-judging/issues/205

sourabhmarathe commented 2 years ago

Duplicate of #205.