Insufficient reentrancy protection in Lender allows for minting principal tokens multiple times but paying only once.
Vulnerability Detail
Some of the Lender.lend functions give the control flow to a contract whose adress can be passed arbitrarily as parameter. This enables reentrancy by passing in a malicious contract that reenters the lend function and causes more principal tokens to be minted than should be allowed.
The lend functions affected are those for Illuminate+Yield, Element, APWine, Tempus and Sense.
Impact
More principal tokens are minted than should have been, leaving the iPT market undercollateralized, meaning the Lender contract wont have enough principal tokens from external projects to redeem all iPT.
Code Snippet
This gist shows an executable POC on how the exploit works for the Sense related lend function (mostly a copy of Lender.t.sol, but added EvilSensePeriphery and testSenseLendExploit). The exploit path works the same for all other vulnerable lend functions
Can be called with forge test --fork-url https://eth-mainnet.g.alchemy.com/v2/APIKEY --fork-block-number 15189976 --use solc:0.8.16 --via-ir --match testSenseLendExploit -vvv
Tool used
Manual Review
Recommendation
Add a reentrancy protection modifier such as OpenZeppelins nonreentrant. Also consider validating or whitelisting the passed contract addresses
minhtrng
unlabeled
Reentrancy in lending allows overminting of iPT
Summary
Insufficient reentrancy protection in
Lenderallows for minting principal tokens multiple times but paying only once.Vulnerability Detail
Some of the
Lender.lendfunctions give the control flow to a contract whose adress can be passed arbitrarily as parameter. This enables reentrancy by passing in a malicious contract that reenters thelendfunction and causes more principal tokens to be minted than should be allowed.The
lendfunctions affected are those for Illuminate+Yield, Element, APWine, Tempus and Sense.Impact
More principal tokens are minted than should have been, leaving the iPT market undercollateralized, meaning the
Lendercontract wont have enough principal tokens from external projects to redeem all iPT.Code Snippet
This gist shows an executable POC on how the exploit works for the Sense related
lendfunction (mostly a copy ofLender.t.sol, but addedEvilSensePeripheryandtestSenseLendExploit). The exploit path works the same for all other vulnerablelendfunctionsCan be called with
forge test --fork-url https://eth-mainnet.g.alchemy.com/v2/APIKEY --fork-block-number 15189976 --use solc:0.8.16 --via-ir --match testSenseLendExploit -vvvTool used
Manual Review
Recommendation
Add a reentrancy protection modifier such as OpenZeppelins
nonreentrant. Also consider validating or whitelisting the passed contract addressesDuplicate of #179