Open sherlock-admin2 opened 4 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
the cause of the revert wasn't mentioned
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/tapioca-periph/commit/0a03bbbd04b30bcac183f1bae24d7f9fe9fd4103#diff-4a6decd451580f83dfe716ed16851529590c8349b1ba9bff97b42248c75e5430.
GiuseppeDeLaZara
high
TOFTMarketReceiverModule::marketBorrowReceiver
flow is brokenSummary
The
TOFTMarketReceiverModule::marketBorrowReceiver
flow is broken and will revert when the Magnetar contract tries to transfer the ERC1155 tokens to the Market contract.Vulnerability Detail
TOFTMarketReceiverModule::marketBorrowReceiver
flow is broken.Let's examine it more closely:
marketHelper
,magnetar
and themarket
contracts an approval is made to the Magnetar contract.MagnetarCollateralModule::depositAddCollateralAndBorrowFromMarket
get called with the passed parameters.data.deposit
is true, the Magnetar contract will call_extractTokens
with the following params:from = msg_.user
,token = collateralAddress
andamount = msg_.collateralAmount
.The collateral gets transferred into the Magnetar contract in case the
msg._user
has given sufficient allowance to the Magnetar contract through the Pearlmit contract.After this
_setApprovalForYieldBox(data.market, yieldBox_);
is called that sets the allowance of the Magnetar contract to the Market contract.Then
addCollateral
is called on the Market contract. I've inlined the internal function to make it easier to follow:After the
userCollateralShare
mapping is updatedpearlmit.transferFromERC1155(from, address(this), address(yieldBox), collateralId, share);
gets called.This is critical as now the Magnetar is supposed to transfer the ERC1155 tokens(Yieldbox) to the Market contract.
In order to do this the Magnetar contract should have given the allowance to the Market contract through the Pearlmit contract.
This is not the case, the Magnetar has only executed
_setApprovalForYieldBox(data.market, yieldBox_);
, nothing else.It will revert inside the Pearlmit contract
transferFromERC1155
function when the allowance is being checked.Other occurrences
TOFT::mintLendXChainSGLXChainLockAndParticipateReceiver
has a similar issue as:BBCollateral::addCollateral
the_addTokens
again expects an allowance through the Pearlmit contract.TOFT::lockAndParticipateReceiver
calls theMagnetar:lockAndParticipate
where:Impact
The
TOFTMarketReceiverModule::marketBorrowReceiver
flow is broken and will revert when the Magnetar contract tries to transfer the ERC1155 tokens to the Market contract. There are also other instances of similar issues.Code Snippet
Tool used
Manual Review
Recommendation
Review all the allowance mechanisms and ensure that they are correct.