search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

ak1 - ERC5095.sol#L98 : maxWithdraw should consider owner's balance to return before maturity. Not the contract's balance #190

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

ak1

medium

ERC5095.sol#L98 : maxWithdraw should consider owner's balance to return before maturity. Not the contract's balance

Summary

maxWithdraw is used to fetch the maximum withdrawable underlying asset value.

This is a view function which will give the maximum witherable value.

Vulnerability Detail

Instead of fetching of the caller's max withdrawable value, the function always return the contract's balance.

Impact

The function returns wrong value.

I think, the function is not used anywhere int the contract. But, if it is used in the front end to fetch the max withdrawable value and use it further, then it will be a problem.

If anyone want to use the illuminate's ERC5095 feature and call maxWithdraw the this will be an issue. Lead to integration problem.

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L98-L103

Tool used

Manual Review

Recommendation

Update the code as given in the if block.

function maxWithdraw(address o) external view override returns (uint256) {
    if (block.timestamp < maturity) {
        -return previewWithdraw(_balanceOf[address(this)]);
        +return previewWithdraw(_balanceOf[address(o)]);
    }
    return _balanceOf[o];
}

Duplicate of #129