Lending on Swivel: protocol fees not taken when remainder of underlying is swapped in YieldPool

Summary

The lend function for Swivel allows swapping the remainder underlying on Yield. But it does not take protocol fees on this amount.

Vulnerability Detail

When executing orders on Swivel, if the user has set e==true and there is remaining underlying, the lending function will swap these funds using YieldPool. But it does not take the protocol fees on that amount.

Impact

Some protocol fees will be lost. Users may even use this function to trade on the YieldPool without incurring protocol fees. While I think it can be rightfully said that at that point they can just straight away trade on the YieldPool without incurring fees, that can also be said about the general Illuminate/Yield lend function, which swaps on the YieldPool and does extract fees.

Code Snippet

In Swivel's lend function, if the user has set e to true, the following block will be executed. Note that no fees are extracted from the raw balance.

                if (e) {
                    // Calculate the premium
                    uint256 premium = IERC20(u).balanceOf(address(this)) - starting;
                    // Swap the premium for Illuminate principal tokens
                    swivelLendPremium(u, m, y, premium, premiumSlippage);
                }

swivelLendPremium being:

        // Lend remaining funds to Illuminate's Yield Space Pool
        uint256 swapped = yield(u, y, p, address(this), IMarketPlace(marketPlace).token(u, m, 0), slippageTolerance);
        // Mint the remaining tokens
        IERC5095(principalToken(u, m)).authMint(msg.sender, swapped);

And yield doesn't take protocol fees either. So the fees are lost from the premium.

Tool used

Manual Review

Recommendation

In the if(e) block of Swivel's lend, extract the protocol fee from premium.

sherlock-audit / 2022-10-illuminate-judging

kenzo - Lending on Swivel: protocol fees not taken when remainder of underlying is swapped in YieldPool #45