Some functions and integrations receive the wrong parameters.
Vulnerability Detail
Here, this does not work:
} else if (p == uint8(Principals.Notional)) {
// Principal token must be approved for Notional's lend
ILender(lender).approve(address(0), address(0), address(0), a);
because it basically translates to:
} else if (p == uint8(Principals.Notional)) {
if (a != address(0)) {
Safe.approve(IERC20(address(0)), a, type(uint256).max);
}
It tries to approve a non-existing token. It should approve the underlying token and Notional's token contract.
Another issue is with Tempus here:
// Swap on the Tempus Router using the provided market and params
ITempus(controller).depositAndFix(x, lent, true, r, d);
// Calculate the amount of Tempus principal tokens received after the deposit
uint256 received = IERC20(principal).balanceOf(address(this)) - start;
// Verify that a minimum number of principal tokens were received
if (received < r) {
revert Exception(11, received, r, address(0), address(0));
}
It passes r as a slippage parameter and later checks that received >= r. However, in Tempus this parameter is not exactly the minimum amount to receive, it is the ratio which is calculated as follows:
/// @param minTYSRate Minimum exchange rate of TYS (denominated in TPS) to receive in exchange for TPS
function depositAndFix(
ITempusAMM tempusAMM,
uint256 tokenAmount,
bool isBackingToken,
uint256 minTYSRate,
uint256 deadline
) external payable nonReentrant {
...
uint256 minReturn = swapAmount.mulfV(minTYSRate, targetPool.backingTokenONE());
Impact
Inaccurate parameter values may lead to protocol misfunction down the road, e.g. insufficient approval or unpredicted slippage.
sourabhmarathe
commented
1 year ago
HonorLt
medium
Incorrect parameters
Summary
Some functions and integrations receive the wrong parameters.
Vulnerability Detail
Here, this does not work:
because it basically translates to:
It tries to approve a non-existing token. It should approve the underlying token and Notional's token contract.
Another issue is with Tempus here:
It passes
ras a slippage parameter and later checks thatreceived >= r. However, in Tempus this parameter is not exactly the minimum amount to receive, it is the ratio which is calculated as follows:Impact
Inaccurate parameter values may lead to protocol misfunction down the road, e.g. insufficient approval or unpredicted slippage.
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Marketplace.sol#L236-L239
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L189-L199
Tool used
Manual Review
Recommendation
Review all the integrations and function invocations, and make sure the appropriate parameters are passed.