Bahurum - Impossible to deposit into or redeem from PLV GLP Vault

[github-actions[bot]]

Bahurum

medium

Impossible to deposit into or redeem from PLV GLP Vault

Summary

glpDepositor functions deposit(), depositAll(), redeem(), redeemAll() require the caller to be an EOA or a whitelisted address. Since it is not possible to whitelist every Sentiment account, then the calls to PLV GLP Vault Depositor will always fail.

Vulnerability Detail

In glpDepositor deposit has an access control (_isEligibleSender()), lines 55-58:

  function deposit(uint256 _amount) public whenNotPaused {
    _isEligibleSender();
    _deposit(msg.sender, _amount);
  }

where at lines 170-174:

  function _isEligibleSender() private view {
    if (
      msg.sender != tx.origin && whitelist.isWhitelisted(msg.sender) == false && partners[msg.sender].isActive == false
    ) revert UNAUTHORIZED();
  }

Which requires that the caller is an EOA, or whitelisted or a partner. Since one cannot whitelist or make each Sentiment account a partner, then it is not possible to deposit() since it would always revert. Same for depositAll(), redeem() and redeemAll().

Impact

The integration with Plutus GLP Vault does not work (deposit nor redeem)

Code Snippet

https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L16-L26

Tool used

Manual Review

Recommendation

Right now, Sentiment cannot integrate with the PLV GLP Vault. Consider contacting Plutus protocol.

[r0ohafza]

The plutus whitelist contract actually whitelists all the sentiment accounts as seen here https://arbiscan.io/address/0x97247de3fe7c5aa718b2be4d454e42de11eafc6d#code which will enable all sentiment accounts to deposit into plutus.