Open sherlock-admin2 opened 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: high(1)
The protocol team fixed this issue in PR/commit https://github.com/napierfi/napier-v1/pull/171.
The Lead Senior Watson signed off on the fix.
KingNFT
high
All yield could be drained if users set any
> 0
allowance to othersSummary
Tranche.redeemWithYT()
is not well implemented, all yield could be drained if users set any> 0
allowance to others.Vulnerability Detail
The issue arises on L283, all
accruedInTarget
is sent out, this will not work while users have allowances to others. Let's say, alice has1000 YT
(yield token) which has generated100 TT
(target token), and if she approves bob100 YT
allowance, then bob should only be allowed to take the proportional target token, which is100 TT * (100 YT / 1000 YT) = 10 TT
.The following coded PoC shows all unclaimed and unaccrued target token could be drained out, even if the allowance is as low as
1wei
.And the logs:
Impact
Users lost all unclaimed and unaccrued yield
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L283
Tool used
Manual Review
Recommendation