Closed sherlock-admin closed 1 year ago
While the issue is correct in pointing out the allowance should check the principal token and not the underlying (which aligns more with the user experience we want to provide), ultimately no funds are at risk. As such, this issue's severity will be disputed.
141345
high
autoRedeem()
should check PT allowanceSummary
In
autoRedeem()
,uToken
allowance is checked instead of PT allowance. But according to the purpose of this function, it should be the PT allowance.Vulnerability Detail
uToken
allowance would probably be 0, hence theif (allowance < amount)
will fail. TheautoRedeem()
function will revert.Impact
Users fund could be locked.
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L511-L528
Tool used
Manual Review
Recommendation
Change to