Closed github-actions[bot] closed 1 year ago
The plutus whitelist contract actually whitelists all the sentiment accounts as seen here https://arbiscan.io/address/0x97247de3fe7c5aa718b2be4d454e42de11eafc6d#code which will enable all sentiment accounts to deposit into plutus.
Bahurum
medium
Impossible to deposit into or redeem from PLV GLP Vault
Summary
glpDepositor
functionsdeposit()
,depositAll()
,redeem()
,redeemAll()
require the caller to be an EOA or a whitelisted address. Since it is not possible to whitelist every Sentiment account, then the calls to PLV GLP Vault Depositor will always fail.Vulnerability Detail
In
glpDepositor
deposit
has an access control (_isEligibleSender()
), lines 55-58:where at lines 170-174:
Which requires that the caller is an EOA, or whitelisted or a partner. Since one cannot whitelist or make each Sentiment account a partner, then it is not possible to
deposit()
since it would always revert. Same fordepositAll()
,redeem()
andredeemAll()
.Impact
The integration with Plutus GLP Vault does not work (deposit nor redeem)
Code Snippet
https://github.com/sherlock-audit/2023-01-sentiment/blob/main/controller-55/src/plutus/PLVGLPController.sol#L16-L26
Tool used
Manual Review
Recommendation
Right now, Sentiment cannot integrate with the PLV GLP Vault. Consider contacting Plutus protocol.