search

sherlock-audit / 2023-02-carapace-judging

2 stars 0 forks source link

peanuts - sToken can be inflated because the balanceOf function does not specify the token used #242

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

peanuts

medium

sToken can be inflated because the balanceOf function does not specify the token used

Summary

sToken can be inflated because the balanceOf function does not specify the token used.

Vulnerability Detail

When a seller wants to withdraw deposit and convert sToken back to underlying tokens, the function _requestWithdrawal() is called. The function checks the balance of the seller and makes sure the sTokenAmount requested to withdraw is more than the sTokenBalance that the seller has. The problem comes when the balance of the msg.sender is not specified.

  function _requestWithdrawal(uint256 _sTokenAmount) internal {
    uint256 _sTokenBalance = balanceOf(msg.sender);

There can be many instances of tokens in the seller's account, seller can arbitrarily inflate his sToken. Also, sToken is used in other ProtectionPools which may cause confusion.

Impact

The sToken balance is not checked properly.

Code Snippet

Tool used

https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L1061-L1062

Manual Review

Recommendation

Recommend specifying which token the balanceOf function is referring to.

  function _requestWithdrawal(uint256 _sTokenAmount) internal {
    uint256 _sTokenBalance = ERC20(sToken).balanceOf(msg.sender);
clems4ev3r commented 1 year ago

This is not an issue, balanceOf references SToken balance since ProtectionPool inherits from SToken