search

sherlock-audit / 2022-10-illuminate-judging

3 stars 0 forks source link

Jeiwan - User can accidentally burn their iPT tokens during redemption #222

Open sherlock-admin opened 1 year ago

sherlock-admin commented 1 year ago

Jeiwan

high

User can accidentally burn their iPT tokens during redemption

Summary

User can accidentally burn their iPT tokens during redemption

Vulnerability Detail

The redeem function that redeems iPT tokens burns iPT tokens even when the holdings mapping is empty and the redeemed amount is 0 (Redeemer.sol#L403-L434).

Impact

A user can accidentally call the redeem function after maturity but before the other redeem function is called (the one that burns external PT tokens–they have identical names). User's iPT tokens will be burned and no underlying tokens will be sent in exchange.

Code Snippet

Redeemer.sol#L403:

function redeem(address u, uint256 m) external unpaused(u, m) {
    // Get Illuminate's principal token for this market
    IERC5095 token = IERC5095(
        IMarketPlace(marketPlace).token(
            u,
            m,
            uint8(MarketPlace.Principals.Illuminate)
        )
    );

    // Verify the token has matured
    if (block.timestamp < token.maturity()) {
        revert Exception(7, block.timestamp, m, address(0), address(0));
    }

    // Get the amount of tokens to be redeemed from the sender
    uint256 amount = token.balanceOf(msg.sender);

    // Calculate how many tokens the user should receive
    uint256 redeemed = (amount * holdings[u][m]) / token.totalSupply();

    // Update holdings of underlying
    holdings[u][m] = holdings[u][m] - redeemed;

    // Burn the user's principal tokens
    // @audit burns iPT tokens even if  the holdings mapping is empty
    token.authBurn(msg.sender, amount);

    // Transfer the original underlying token back to the user
    Safe.transfer(IERC20(u), msg.sender, redeemed);

    emit Redeem(0, u, m, redeemed, msg.sender);
}

Tool used

Manual Review

Recommendation

Consider disallowing calling the second redeem function (the one that redeems iPT tokens) before the first redeem function (the one that redeems external PT tokens) is called.

Duplicate of #81

sourabhmarathe commented 1 year ago

Input validation is not within the scope of the audit. We expect to use other resources to ensure that users are executing the redemptions properly outside of the smart contract.

JTraversa commented 1 year ago

Duplicate of #239

Evert0x commented 1 year ago

Not a duplicate of #239 but of #81