Depositing wrong asset in YieldBox will DoS sellCollateral()
Summary
A wrong asset ID is passed as parameter when depositing into YieldBox in leverage interactions, making the function always fail.
Vulnerability Detail
The sellCollateral() functionality allows users to sell collateral asset, swap it for USDO and use the obtained USDO as a repayment for loans.
When the swap from collateral to USDO is performed, the USDO must be deposited into YieldBox so that it can be later repaid on behalf of the user. This is done via yieldBox.depositAsset() inside the sellCollateral() function:
// BBLeverage.sol
function sellCollateral(address from, uint256 share, bytes calldata data)
external
optionNotPaused(PauseType.LeverageSell)
solvent(from, false)
notSelf(from)
returns (uint256 amountOut)
{
...
yieldBox.depositAsset(collateralId, address(this), address(this), 0, memoryData.shareOut);
...
if (memoryData.shareOwed <= memoryData.shareOut) {
_repay(from, from, memoryData.partOwed);
} else {
//repay as much as we can
uint256 partOut = totalBorrow.toBase(amountOut, false);
_repay(from, from, partOut);
}
}
The problem is that the yieldBox.depositAsset() is trying to deposit the collateral asset into YieldBox, instead of USDO. As we can seem, the id of the asset to be deposited is passed as collateralId, which will make the call try to deposit the wrong asset into YieldBox.
Impact
High, the function will be completely DoS’ed given that the wrong asset will be deposited and there will never be enough funds of such asset in the contract to be deposited.
0xadrii
high
Depositing wrong asset in YieldBox will DoS sellCollateral()
Summary
A wrong asset ID is passed as parameter when depositing into YieldBox in leverage interactions, making the function always fail.
Vulnerability Detail
The
sellCollateral()
functionality allows users to sell collateral asset, swap it for USDO and use the obtained USDO as a repayment for loans.When the swap from collateral to USDO is performed, the USDO must be deposited into YieldBox so that it can be later repaid on behalf of the user. This is done via
yieldBox.depositAsset()
inside thesellCollateral()
function:The problem is that the
yieldBox.depositAsset()
is trying to deposit the collateral asset into YieldBox, instead of USDO. As we can seem, the id of the asset to be deposited is passed ascollateralId
, which will make the call try to deposit the wrong asset into YieldBox.Impact
High, the function will be completely DoS’ed given that the wrong asset will be deposited and there will never be enough funds of such asset in the contract to be deposited.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L149
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L135
Tool used
Manual Review
Recommendation
Update the asset ID
depositAsset()
parameter in both BigBang and Singularity’s leverage modules so that the correct asset is deposited into YieldBox:Duplicate of #42