search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

duc - `buyCollateral` function pass a `false` value of skim param for adding collateral #57

Closed sherlock-admin3 closed 5 months ago

sherlock-admin3 commented 5 months ago

duc

high

buyCollateral function pass a false value of skim param for adding collateral

Summary

In the buyCollateral function of BBLeverage or SGLLeverage, collateral tokens are deposited to YieldBox for the contract. However, this function calls _addCollateral with skim set to false, which will pull collateral from the user's YieldBox position.

Vulnerability Detail

buyCollateral function is used to borrow assets and swap to add collateral into the market. Although it already receives collateral shares of YieldBox after depositing, it calls _addCollateral with the skim parameter set to false.

uint256 collateralShare = yieldBox.toShare(collateralId, amountOut, false);
address(asset).safeApprove(address(yieldBox), type(uint256).max);
yieldBox.depositAsset(collateralId, address(this), address(this), 0, collateralShare); // TODO Check for rounding attack?
...
_addCollateral(calldata_.from, calldata_.from, false, 0, collateralShare);

This results in collateral being incorrectly pulled from the user, even though the necessary tokens are already present in the contract.

function _addTokens(address from, uint256 _tokenId, uint256 share, uint256 total, bool skim) internal {
    if (skim) {
        require(share <= yieldBox.balanceOf(address(this), _tokenId) - total, "BB: too much");
    } else {
        // yieldBox.transfer(from, address(this), _tokenId, share);
        bool isErr = pearlmit.transferFromERC1155(from, address(this), address(yieldBox), _tokenId, share);
        if (isErr) {
            revert TransferFailed();
        }
    }
}

Impact

Users will get losses of funds when using the buyCollateral function if they have enough collateral shares and allowance.

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L109 https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L92

Tool used

Manual Review

Recommendation

buyCollateral function should call _addCollateral with the skim parameter set to true.

Duplicate of #139