Converter contract is not polished and may leak value.
Vulnerability Detail
There are several problems with the Converter. When trying to withdraw from Aave, it approves the underlying token, not the principal:
// Allow the pool to spend the funds
Safe.approve(IERC20(u), pool, a);
// withdraw from Aave
IAaveLendingPool(pool).withdraw(u, a, msg.sender);
Also, if tokens are accidentally sent to this contract or unintentionally stuck (a reference to another issue regarding Compound integration), anyone can redeem them.
Impact
The current version of Converter is not reliable to be used in prod.
HonorLt
medium
Converter problems
Summary
Convertercontract is not polished and may leak value.Vulnerability Detail
There are several problems with the
Converter. When trying to withdraw from Aave, it approves the underlying token, not the principal:Also, if tokens are accidentally sent to this contract or unintentionally stuck (a reference to another issue regarding Compound integration), anyone can redeem them.
Impact
The current version of Converter is not reliable to be used in prod.
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Converter.sol
Tool used
Manual Review
Recommendation
Consider improving the robustness of the Converter and fixing the aforementioned issues.