Anyone can call `absorb` to absorb excess `underlying` asset.

Summary

The function absorb can be called by both EOA and contracts instead of only contracts to absorb the surplus underlying asset in the Ptoken contract, due to lack of checks.

Vulnerability Detail

In the code comment, the function absorb should only be called by contracts, but there are no checks in the code to ensure that only contracts can call this function. so; anyone can drain the surplus underlying asset

     */@notice Absorb the surplus underlying asset to user.
     // @dev This function should only be called by contracts.
     // @param user The beneficiary to absorb the surplus underlying asset
     */
 function absorb(address user) public {
        uint256 balance = IERC20(underlying).balanceOf(address(this));

        uint256 amount = balance - totalSupply();
        _mint(user, amount);
    }

Impact

https://github.com/sherlock-audit/2023-05-ironbank/blob/9ebf1702b2163b55479624794ab7999392367d2a/ib-v2/src/protocol/token/PToken.sol#L53

Code Snippet

Tool used

Manual Review

Recommendation

Add require and checks to make the function only callable by contracts.

sherlock-audit / 2023-05-ironbank-judging

oxchryston - Anyone can call `absorb` to absorb excess `underlying` asset. #363

Anyone can call `absorb` to absorb excess `underlying` asset.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

sherlock-audit / 2023-05-ironbank-judging

oxchryston - Anyone can call `absorb` to absorb excess `underlying` asset. #363

Anyone can call absorb to absorb excess underlying asset.

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Anyone can call `absorb` to absorb excess `underlying` asset.