search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

__141345__ - `autoRedeem()` should check PT allowance #205

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

141345

high

autoRedeem() should check PT allowance

Summary

In autoRedeem(), uToken allowance is checked instead of PT allowance. But according to the purpose of this function, it should be the PT allowance.

Vulnerability Detail

uToken allowance would probably be 0, hence the if (allowance < amount) will fail. The autoRedeem() function will revert.

Impact

Users fund could be locked.

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L511-L528

Tool used

Manual Review

Recommendation

Change to 

        uint256 allowance = pt.allowance(f[i], address(this));
sourabhmarathe commented 1 year ago

While the issue is correct in pointing out the allowance should check the principal token and not the underlying (which aligns more with the user experience we want to provide), ultimately no funds are at risk. As such, this issue's severity will be disputed.

https://docs.sherlock.xyz/audits/watsons/judging

sourabhmarathe commented 1 year ago

https://github.com/Swivel-Finance/illumigrate/pull/241