Mint Illuminate's ERC5095 indefinitely and auto redeem
Summary
mint lets users deposit Illuminate's ERC5095 and mint more of it. Later these tokens can be auto-redeemed.
Vulnerability Detail
Lender provides a very simple mint function where the users can just deposit any principal token and get ERC5095 in return:
address principal = IMarketPlace(marketPlace).token(u, m, p);
// Transfer the users principal tokens to the lender contract
Safe.transferFrom(IERC20(principal), msg.sender, address(this), a);
// Mint the tokens received from the user
IERC5095(principalToken(u, m)).authMint(msg.sender, a);
Malicious users can deposit and mint Illuminate tokens over and over again because there are no restrictions.
This will increase the total supply of ERC5095 and legitimate users will receive less:
uint256 redeemed = (a * holdings[u][m]) / pt.totalSupply();
Also, this can crash the system later, because anyone can autoRedeem on behalf of the Lender:
because Lender has automatically approved Redeemer to transfer all its tokens:
/// @notice approves the redeemer contract to spend the principal tokens held by the lender contract.
/// @param u address of an underlying asset
/// @param m maturity (timestamp) of the market
/// @param r the address being approved, in this case the redeemer contract
/// @return bool true if the approval was successful
function approve(
address u,
uint256 m,
address r
) external authorized(admin) returns (bool) {
// approve the underlying for max per given principal
for (uint8 i; i != 9; ) {
// get the principal token's address
address token = IMarketPlace(marketPlace).token(u, m, i);
// check that the token is defined for this particular market
if (token != address(0)) {
// max approve the token
Safe.approve(IERC20(token), r, type(uint256).max);
}
unchecked {
++i;
}
}
return true;
}
Impact
Anyone can mint ERC5095 indefinitely and later redeem all the fictitiously minted tokens to the Lender contract and leave dust for the legitimate users.
HonorLt
high
Mint Illuminate's ERC5095 indefinitely and auto redeem
Summary
mintlets users deposit Illuminate's ERC5095 and mint more of it. Later these tokens can be auto-redeemed.Vulnerability Detail
Lender provides a very simple mint function where the users can just deposit any principal token and get ERC5095 in return:
Malicious users can deposit and mint Illuminate tokens over and over again because there are no restrictions. This will increase the total supply of ERC5095 and legitimate users will receive less:
Also, this can crash the system later, because anyone can
autoRedeemon behalf of the Lender:because Lender has automatically approved Redeemer to transfer all its tokens:
Impact
Anyone can mint ERC5095 indefinitely and later redeem all the fictitiously minted tokens to the Lender contract and leave dust for the legitimate users.
Code Snippet
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L264-L288
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L141-L165
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L511
Tool used
Manual Review
Recommendation
Forbid indefinite mint and block
autoRedeemwhen f address is Lender.Duplicate of #108