Redeemer#redeem for Sense can never redeem because it never approves cTokens to be transferred by Converter
Summary
During marketplace setup, Redeemer approves Convertor for yield bearing tokens for AP Wine and Pendle and never approves yield bearing tokens for Sense. AP Wine and Pendle both use Aave tokens meaning that Redeemer never give Converter allowance to transfer it's cTokens, which are the underlying tokens of Sense. Since the approval never happens it will always revert when trying to withdraw its cTokens, making it impossible to redeem any Sense tokens.
Vulnerability Detail
Redeemer.sol
function approve(address i) external authorized(marketPlace) {
if (i != address(0)) {
Safe.approve(IERC20(i), address(converter), type(uint256).max);
}
}
Redeemer only has one method to approve tokens to Converter which can only be called by Marketplace.
Redeemer#approve is only called when either a principal is being set or a market is being created. It only ever calls approval for AP Wine and Pendle yield bearing tokens, both of which happen to be Aave tokens. The result is that it never approves cTokens which are the underlying tokens of Sense. Without this approval call it is impossible to redeem Sense tokens, resulting in loss of user funds.
Impact
Redeemer#redeem for Sense will always revert, causing loss of user funds
sourabhmarathe
commented
2 years ago
0x52
high
Redeemer#redeem for Sense can never redeem because it never approves cTokens to be transferred by Converter
Summary
During marketplace setup, Redeemer approves Convertor for yield bearing tokens for AP Wine and Pendle and never approves yield bearing tokens for Sense. AP Wine and Pendle both use Aave tokens meaning that Redeemer never give Converter allowance to transfer it's cTokens, which are the underlying tokens of Sense. Since the approval never happens it will always revert when trying to withdraw its cTokens, making it impossible to redeem any Sense tokens.
Vulnerability Detail
Redeemer.sol
Redeemer only has one method to approve tokens to Converter which can only be called by Marketplace.
Marketplace.sol
Redeemer#approve is only called when either a principal is being set or a market is being created. It only ever calls approval for AP Wine and Pendle yield bearing tokens, both of which happen to be Aave tokens. The result is that it never approves cTokens which are the underlying tokens of Sense. Without this approval call it is impossible to redeem Sense tokens, resulting in loss of user funds.
Impact
Redeemer#redeem for Sense will always revert, causing loss of user funds
Code Snippet
Redeemer.sol#L342-L398
Tool used
Manual Review
Recommendation
During market creation and principal being set, call for approval of Sense underlying yield bearing token (cToken) as well.
Duplicate of #117