DoS `autoRedeem()` to lock other users fund

Summary

The purpose of the autoRedeem() function is to make it easier for some users to redeem the underlying when they are not available. But this feature could be abused to DoS the function and lock users' fund.

Vulnerability Detail

If the allowance and amount are close, the griefer can send just enough of PT to the victim's address to just make the if (allowance < amount) check fail.

        uint256 amount = pt.balanceOf(f[i]);
        // ...
        if (allowance < amount) {
            revert Exception(20, allowance, amount, address(0), address(0));
        }

Impact

Some users' fund could be locked and fail the autoRedeem() function.
The autoRedeem() function could be easily DoS and fail.

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L511-L525

Tool used

Manual Review

Recommendation

add access control for the autoRedeem() function.

Duplicate of https://github.com/sherlock-audit/2022-10-illuminate-judging/issues/205

sherlock-audit / 2022-10-illuminate-judging

141345 - DoS `autoRedeem()` to lock other users fund #198

DoS `autoRedeem()` to lock other users fund

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2022-10-illuminate-judging

__141345__ - DoS `autoRedeem()` to lock other users fund #198

DoS autoRedeem() to lock other users fund

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

141345 - DoS `autoRedeem()` to lock other users fund #198

DoS `autoRedeem()` to lock other users fund