incorrect address transfer to the adapter.prefundedRedeem function from the collect function
Summary
In collect, when prefundedRedeem is called, the user's address is set in input as msg.sender
Vulnerability Detail
For Tranche.collect()msg.sender is the user. But when calling adapter.prefundRedeem from the collect() function, msg.sender will be Tranche.sol. Thus, the accrued will not be sent to the user, but to Tranche.sol.
Impact
For adapter.prefundedRedeem, msg.sender will be Tranche.sol. accrued will be sent to the contract and not to the user
Hajime
medium
incorrect address transfer to the
adapter.prefundedRedeemfunction from the collect functionSummary
In collect, when prefundedRedeem is called, the user's address is set in input as
msg.senderVulnerability Detail
For
Tranche.collect()msg.senderis the user. But when callingadapter.prefundRedeemfrom thecollect()function,msg.senderwill be Tranche.sol. Thus, theaccruedwill not be sent to the user, but toTranche.sol.Impact
For adapter.prefundedRedeem, msg.sender will be Tranche.sol. accrued will be sent to the contract and not to the user
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L423
Tool used
Manual Review
Recommendation
use the
toparameter