Closed sherlock-admin closed 7 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid: high(1)
The protocol team fixed this issue in PR/commit https://github.com/napierfi/napier-v1/pull/171.
The Lead Senior Watson signed off on the fix.
DenTonylifer
high
Missing zero amount check may lead to loss of funds
Summary
Malicious user can steal accrued interest from other user using
redeemWithYT()
function.Vulnerability Detail
This function is used for withdrawing underlying tokens from the caller in exchange for
amount
of PT and YT. Withdrawn amount will be the sum of the following:from
,from
must have approved the caller to spendpyAmount
.But any user with zero allowance also can call this function, if he pass
pyAmount
as 0, in other case function will revert due to_spendAllowance()
in internal_burnFrom
function:In this case withdrawn amount will be the sum of unclaimed yield and accrued yield, and it will be tranfered to
to
adress, which is malicious user's adress:Impact
Malicious user can steal accrued yield from any users.
Code Snippet
[https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L230-L288]()
Tool used
Manual Review
Recommendation
Recomended to add zero amount check to prevent calling this function by users with zero allowance, when caller is not
from
:Duplicate of #28