search

sherlock-audit / 2024-02-tapioca-judging

3 stars 2 forks source link

0xadrii - Depositing wrong asset in YieldBox will DoS sellCollateral() #117

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

0xadrii

high

Depositing wrong asset in YieldBox will DoS sellCollateral()

Summary

A wrong asset ID is passed as parameter when depositing into YieldBox in leverage interactions, making the function always fail.

Vulnerability Detail

The sellCollateral() functionality allows users to sell collateral asset, swap it for USDO and use the obtained USDO as a repayment for loans.

When the swap from collateral to USDO is performed, the USDO must be deposited into YieldBox so that it can be later repaid on behalf of the user. This is done via yieldBox.depositAsset() inside the sellCollateral() function:

// BBLeverage.sol

function sellCollateral(address from, uint256 share, bytes calldata data)
        external
        optionNotPaused(PauseType.LeverageSell)
        solvent(from, false)
        notSelf(from)
        returns (uint256 amountOut)
    {
          ...

        yieldBox.depositAsset(collateralId, address(this), address(this), 0, memoryData.shareOut); 
        ...
        if (memoryData.shareOwed <= memoryData.shareOut) {
            _repay(from, from, memoryData.partOwed); 
        } else {
            //repay as much as we can
            uint256 partOut = totalBorrow.toBase(amountOut, false);
            _repay(from, from, partOut);
        }
    }

The problem is that the yieldBox.depositAsset() is trying to deposit the collateral asset into YieldBox, instead of USDO. As we can seem, the id of the asset to be deposited is passed as collateralId, which will make the call try to deposit the wrong asset into YieldBox.

Impact

High, the function will be completely DoS’ed given that the wrong asset will be deposited and there will never be enough funds of such asset in the contract to be deposited.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L149

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L135

Tool used

Manual Review

Recommendation

Update the asset ID depositAsset() parameter in both BigBang and Singularity’s leverage modules so that the correct asset is deposited into YieldBox:

// BBLeverage.sol / SGLLeverage.sol

function sellCollateral(address from, uint256 share, bytes calldata data)
        external
        optionNotPaused(PauseType.LeverageSell)
        solvent(from, false)
        notSelf(from)
        returns (uint256 amountOut)
    {
          ...

-        yieldBox.depositAsset(collateralId, address(this), address(this), 0, memoryData.shareOut); 
+        yieldBox.depositAsset(assetId, address(this), address(this), 0, memoryData.shareOut); 
        ...
        if (memoryData.shareOwed <= memoryData.shareOut) {
            _repay(from, from, memoryData.partOwed); 
        } else {
            //repay as much as we can
            uint256 partOut = totalBorrow.toBase(amountOut, false);
            _repay(from, from, partOut);
        }
    }

Duplicate of #42