If the admin decides to pause redeem in Redeemer.sol when it’s dangerous, malicious or unprofitable. The paused mode could be bypassed with autoRedeem() or PT token withdraw()/redeem() with authRedeem().
Bypassing the admins decision can result in loss of funds for the project.
Vulnerability Detail
In autoRedeem() and authRedeem(), the underlying can still be transferred to the user:
the user just need to set the allowance to use the autoRedeem()
call the PT token withdraw()/redeem(), which eventually call the Redeemer contract authRedeem().
Impact
Bypassing the admins decision might end up with loss of funds for the project.
Code Snippet
There are no modifier unpaused(u, m) for autoRedeem() and authRedeem(), nor any checks for the unpaused status inside the functions.
141345
medium
Bypass paused
redeem()
Summary
If the admin decides to pause redeem in
Redeemer.sol
when it’s dangerous, malicious or unprofitable. The paused mode could be bypassed withautoRedeem()
or PT tokenwithdraw()/redeem()
withauthRedeem()
.Bypassing the admins decision can result in loss of funds for the project.
Vulnerability Detail
In
autoRedeem()
andauthRedeem()
, the underlying can still be transferred to the user:autoRedeem()
withdraw()/redeem()
, which eventually call theRedeemer
contractauthRedeem()
.Impact
Bypassing the admins decision might end up with loss of funds for the project.
Code Snippet
There are no modifier
unpaused(u, m)
forautoRedeem()
andauthRedeem()
, nor any checks for the unpaused status inside the functions.https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L485-L489
PT token
withdraw()/redeem()
can be called even if paused. https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L252-L275https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/tokens/ERC5095.sol#L320-L343
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L443-L452
Tool used
Manual Review
Recommendation
Add the modifier or paused status check in
autoRedeem()
andauthRedeem()
.Duplicate of #113