Leverage module’s buyCollateral() function will always fail due to wrong parameter when depositing into yieldbox
Summary
Passing a wrong parameter when depositing into YieldBox will make calls to buyCollateral() always fail.
Vulnerability Detail
The buyCollateral() feature in the BigBang and Singularity’s leverage module allows users to borrow more USDO and immediately set it as collateral. The summarized steps performed insidebuyCollateral() are:
Withdraw USDO deposited from caller in YieldBox and transfer the USDO to the leverage executor
Borrow USDO (by default deposited in YieldBox), withdraw it from YieldBox and transfer it to the leverage executor
Swap the USDO for the collateral asset via the leverage executor
Deposit the collateral into YieldBox (this is the wrong step detailed in this vulnerability).
Trigger _addCollateral() so that the deposited YieldBox collateral assets are used as actual collateral in USDO
The problem with this vulnerability relies in step 4. As we can see in the following code snippet, after swapping the USDO for the collateral asset, the collateral is deposited into YieldBox. The problem is that the yieldBox.depositAsset() specifies that the shares obtained after depositing into YieldBox will be received by address(this) (the BBLeverage/SGLLeverage contract), instead of the calldata_.from address. Because the leverage contract is the one receiving the YieldBox shares, the final _addCollateral() call will fail (this call tries to pull the YieldBox share tokens from the user (calldata_.from), but the leverage module contract is the actual address that has the shares).
This will make buyCollateral() always fail because calldata_.from will never receive the YieldBox shares and a lack of balance will make the collateral addition always revert.
Impact
High. buyCollateral() will always fail and this feature will be unusable.
0xadrii
high
Leverage module’s buyCollateral() function will always fail due to wrong parameter when depositing into yieldbox
Summary
Passing a wrong parameter when depositing into YieldBox will make calls to
buyCollateral()
always fail.Vulnerability Detail
The
buyCollateral()
feature in the BigBang and Singularity’s leverage module allows users to borrow more USDO and immediately set it as collateral. The summarized steps performed insidebuyCollateral()
are:_addCollateral()
so that the deposited YieldBox collateral assets are used as actual collateral in USDOThe problem with this vulnerability relies in step 4. As we can see in the following code snippet, after swapping the USDO for the collateral asset, the collateral is deposited into YieldBox. The problem is that the
yieldBox.depositAsset()
specifies that the shares obtained after depositing into YieldBox will be received byaddress(this)
(the BBLeverage/SGLLeverage contract), instead of thecalldata_.from
address. Because the leverage contract is the one receiving the YieldBox shares, the final_addCollateral()
call will fail (this call tries to pull the YieldBox share tokens from the user (calldata_.from
), but the leverage module contract is the actual address that has the shares).This will make
buyCollateral()
always fail becausecalldata_.from
will never receive the YieldBox shares and a lack of balance will make the collateral addition always revert.Impact
High. buyCollateral() will always fail and this feature will be unusable.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L88
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L104
Tool used
Manual Review
Recommendation
It is recommended to set the
calldata_.from
to be the receiver of the YieldBox deposit shares, instead ofaddress(this)
:Duplicate of #100