Closed sherlock-admin closed 2 years ago
sourabhmarathe
commented
2 years ago A malicious user would not be able to call autoRedeem on behalf of Alice due to the fact that Alice must approve the usage of autoRedeem in advance. In addition, purchasing PTs does not inflate the supply of them. Instead, a user must mint PTs in order to create them.
JTraversa
commented
2 years ago To reiterate,
a malicious user firstly buy 90,000 PT, inflate the PT total supply to 100,000.
This would not work as suggested as the total supply itself is dependent on external principal token deposits, meaning the attack would not end up stealing anything from the user.
141345
commented
2 years ago Escalate for 21 USDC
Alice must approve the usage of
autoRedeemin advance.
Yes, the issue here is discussing the users who choose to approve autoRedeem usage. And it seems to be the rationale behind this function, let some users have hands-off operation.
In addition, purchasing PTs does not inflate the supply of them. Instead, a user must
mintPTs in order to create them.This would not work as suggested as the total supply itself is dependent on external principal token deposits, meaning the attack would not end up stealing anything from the user.
Here "purchasing" just mean mint(), because I treat transferFrom() the necessary principal token as purchasing.
When this mint() call authMint(), new PTs will increase the totalSupply, as a result, Alice's share in total PTs will decrease.
The point of this issue here is, the user's redemption amount depends on the shares of the total PTs, which can be artificially influenced.
sherlock-admin
commented
2 years ago Escalate for 21 USDC
Alice must approve the usage of
autoRedeemin advance.Yes, the issue here is discussing the users who choose to approve
autoRedeemusage. And it seems to be the rationale behind this function, let some users have hands-off operation.In addition, purchasing PTs does not inflate the supply of them. Instead, a user must
mintPTs in order to create them.This would not work as suggested as the total supply itself is dependent on external principal token deposits, meaning the attack would not end up stealing anything from the user.
Here "purchasing" just mean
mint(), because I treattransferFrom()the necessary principal token as purchasing.When this
mint()callauthMint(), new PTs will increase the totalSupply, as a result, Alice's share in total PTs will decrease.The point of this issue here is, the user's redemption amount depends on the shares of the total PTs, which can be artificially influenced.
You've created a valid escalation for 21 USDC!
To remove the escalation from consideration: Delete your comment. To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
141345
high
autoRedeem()could be abused to dilute other users fundSummary
The underlying amount users gets by
autoRedeem()is based on the PT share percentage, this mechanism could be abused by malicious user with some vector like sandwich attack.Vulnerability Detail
Imagine the following:
holdings[u1][m1]is $1,000. In principle the amount Alice deserves is $100autoRedeem()for Alice, the 1000 PT balance is burned, and the underlying redeemed is only $10 for Alice.(u2, m2), which is not affected by the total supply inflation.Actually, the malicious user can also redeem in the same m
(u1, m1), because the majority of theholdings[u1][m1]cold be taken.The key point is the PT share percentage can be easily manipulated.
Impact
User's PT balance share could be manipulated, some users will lose fund.
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L517
Tool used
Manual Review
Recommendation
Do the underlying redeem amount calculation based on the PT balance, instead of the external markets redeem amount and PT share percentage.