incorrect address transfer to the adapter.prefundedRedeem function from the collect function
Summary
In collect, when prefundedRedeem is called, the user's address is set in input as msg.sender
Vulnerability Detail
For Tranche.collect()msg.sender is the user. But when calling adapter.prefundRedeem from the collect() function, msg.sender will be Tranche.sol. Thus, the accrued will not be sent to the user, but to Tranche.sol.
Impact
For adapter.prefundedRedeem, msg.sender will be Tranche.sol. accrued will be sent to the contract and not to the user
Hajime
medium
incorrect address transfer to the
adapter.prefundedRedeem
function from the collect functionSummary
In collect, when prefundedRedeem is called, the user's address is set in input as
msg.sender
Vulnerability Detail
For
Tranche.collect()
msg.sender
is the user. But when callingadapter.prefundRedeem
from thecollect()
function,msg.sender
will be Tranche.sol. Thus, theaccrued
will not be sent to the user, but toTranche.sol
.Impact
For adapter.prefundedRedeem, msg.sender will be Tranche.sol. accrued will be sent to the contract and not to the user
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L423
Tool used
Manual Review
Recommendation
use the
to
parameter