XDZIBEC - XDZIBEC-wrap function does not validate the amount parameteR

[sherlock-admin]

XDZIBEC

high

XDZIBEC-wrap function does not validate the amount parameteR

Summary

• The wrap function in the PTokenInterface interface does not validate the amount parameter,it's means that an attacker could call the wrap function and specify an amount that is greater than the amount of underlying tokens that the attacker has. This would allow the attacker to mint new PTokens without having the underlying tokens to back them up.

  Vulnerability Detail

  interface PTokenInterface is IERC20 {
  function getUnderlying() external view returns (address);
  
  function wrap(uint256 amount) external;
  
  function unwrap(uint256 amount) external;
  
  function absorb(address user) external;
  }

• There is a vulnerability in the PTokenInterface interface, so the problem is in the amount parameter. The amount parameter is the amount of underlying tokens that will be wrapped the amount parameter is not validated. This means that an attacker could call the wrap function and specify an amount that is greater than the amount of underlying tokens that the attacker has. the wrap function is responsible for wrapping underlying tokens into PTokens.

  Impact

• An attacker could exploit the vulnerability and mint a large number of PTokens without having the underlying tokens to back them up.

  Code Snippet

• https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/interfaces/PTokenInterface.sol#L10C4-L10C44

  Tool used

Manual Review

Recommendation

• Validate the amount parameter before minting new PTokens. this prevents an attacker from minting new PTokens without having the underlying tokens to back them up.