Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: it should be for both the functions when matured; medium(1)
due to tilt, PT holders would lose some principal and YT holders would get them. I thinkredeemWithYT
requires user to hold both PT and YT, which will offset the profit and lose. so I don't think the function need to compute _computeTargetBelongsToYT
jennifer37
high
Missing compute target belongs to YT in Tranche::redeemWithYT()
Summary
Function redeemWithYT() will redeem underlying tokens and burn the related PT and YT. YT should earn some profits in some cases, which is missed in redeemWithYT()
Vulnerability Detail
In current implementation, there will be some amount of principal reserved for YT holders if the maturity has passed. We can see that more clearly in function collect():
However, in redeemWithYT(), imagine that the maturity has passed and users want to redeem underlying via redeemWithYT(), all PT and YT will be burned and related underlying tokens will be returned back to users except principal reserved for YT holders.
Impact
Users might lose some profits belongs to Yield tokens.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L246-L280 https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L399-L418
Tool used
Manual Review
Recommendation
Refer to collect(), add similar implementation