sherlock-audit / 2023-01-sentiment-judging

2 stars 0 forks source link

ck - `depositAll()` should use `fsGLP` as the tokensOut in `PLVGLPController` #23

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

ck

medium

depositAll() should use fsGLP as the tokensOut in PLVGLPController

Summary

depositAll() is one of the functions specified in the PLVGLPController controller for deposits. The tokensOut used is sGLP instead of the preferred fsGLP .

Vulnerability Detail

The Plutus GLP Depositor contract exposes the depositAll() function as follows:

https://arbiscan.io/address/0x13F0D29b5B83654A200E4540066713d50547606E#code

  function depositAll() external {
    deposit(fsGLP.balanceOf(msg.sender));
  }

This function uses the balance of fsGLP to determine how much sGLP will be deposited.

The PLVGLPController of Sentiment however tracks tokensOut as sGLP.

    function canCall(address, bool, bytes calldata data)
        external
        view
        returns (bool, address[] memory, address[] memory)
    {
        bytes4 sig = bytes4(data);

        if (sig == DEPOSIT || sig == DEPOSIT_ALL) {
            return (true, PLVGLP, sGLP);
        }

Note: fsGLP and sGLP have different token addresses but are both transferred to an account after a RewardRouterV2Controller::mintAndStakeGlp transaction.

  IERC20 public constant fsGLP = IERC20(0x1aDDD80E6039594eE970E5872D247bf0414C8903);
  IERC20 public constant sGLP = IERC20(0x2F546AD4eDD93B956C8999Be404cdCAFde3E89AE);

To accurately track balances, the fsGLP token should be used instead.

Impact

For functions such as depositAll() which rely on token balances, fsGLP ensures accurate balancing tracking within the protocol and avoids accounting issues.

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L48-L64

Tool used

Manual Review

Recommendation

Track GLP balances with fsGLP instead of sGLP

Duplicate of #28