depositAll() should use fsGLP as the tokensOut in PLVGLPController
Summary
depositAll() is one of the functions specified in the PLVGLPController controller for deposits. The tokensOut used is sGLP instead of the preferred fsGLP .
Vulnerability Detail
The Plutus GLP Depositor contract exposes the depositAll() function as follows:
function depositAll() external {
deposit(fsGLP.balanceOf(msg.sender));
}
This function uses the balance of fsGLP to determine how much sGLP will be deposited.
The PLVGLPController of Sentiment however tracks tokensOut as sGLP.
function canCall(address, bool, bytes calldata data)
external
view
returns (bool, address[] memory, address[] memory)
{
bytes4 sig = bytes4(data);
if (sig == DEPOSIT || sig == DEPOSIT_ALL) {
return (true, PLVGLP, sGLP);
}
Note: fsGLP and sGLP have different token addresses but are both transferred to an account after a RewardRouterV2Controller::mintAndStakeGlp transaction.
IERC20 public constant fsGLP = IERC20(0x1aDDD80E6039594eE970E5872D247bf0414C8903);
IERC20 public constant sGLP = IERC20(0x2F546AD4eDD93B956C8999Be404cdCAFde3E89AE);
To accurately track balances, the fsGLP token should be used instead.
Impact
For functions such as depositAll() which rely on token balances, fsGLP ensures accurate balancing tracking within the protocol and avoids accounting issues.
ck
medium
depositAll()
should usefsGLP
as the tokensOut inPLVGLPController
Summary
depositAll()
is one of the functions specified in thePLVGLPController
controller for deposits. ThetokensOut
used issGLP
instead of the preferredfsGLP
.Vulnerability Detail
The Plutus GLP Depositor contract exposes the
depositAll()
function as follows:https://arbiscan.io/address/0x13F0D29b5B83654A200E4540066713d50547606E#code
This function uses the balance of
fsGLP
to determine how muchsGLP
will be deposited.The
PLVGLPController
of Sentiment however tracks tokensOut assGLP
.Note:
fsGLP
andsGLP
have different token addresses but are both transferred to an account after aRewardRouterV2Controller::mintAndStakeGlp
transaction.To accurately track balances, the
fsGLP
token should be used instead.Impact
For functions such as depositAll() which rely on token balances,
fsGLP
ensures accurate balancing tracking within the protocol and avoids accounting issues.Code Snippet
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L48-L64
Tool used
Manual Review
Recommendation
Track GLP balances with
fsGLP
instead ofsGLP
Duplicate of #28