search

sherlock-audit / 2024-02-tapioca-judging

2 stars 2 forks source link

duc - Depositing incorrect tokens in the `BBLeverage.sellCollateral` function #58

Closed sherlock-admin4 closed 5 months ago

sherlock-admin4 commented 5 months ago

duc

medium

Depositing incorrect tokens in the BBLeverage.sellCollateral function

Summary

The sellCollateral function is used to sell a user's collateral to obtain asset shares in YieldBox to repay their loan. However, after swapping to asset tokens, the BBLeverage.sellCollateral function attempts to deposit collateral tokens into YieldBox instead of asset tokens.

Vulnerability Detail

In BBLeverage.sellCollateral function:

amountOut = leverageExecutor.getAsset(
    assetId, address(collateral), address(asset), memoryData.leverageAmount, from, data
);
memoryData.shareOut = yieldBox.toShare(assetId, amountOut, false);
address(asset).safeApprove(address(yieldBox), type(uint256).max);
yieldBox.depositAsset(collateralId, address(this), address(this), 0, memoryData.shareOut); // TODO Check for rounding attack?

This function collects asset tokens by swapping in leverageExecutor.getAsset() function. However, it mistakenly uses collateralId to call yieldBox.depositAsset, causing it to attempt to deposit collateral tokens. It's a serious coding mistake in BBLeverage.sellCollateral, but it doesn't exist inSGLLeverage.sellCollateral function.

Impact

BBLeverage.sellCollateral doesn't work (core functionality broken)

Code Snippet

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L149

Tool used

Manual Review

Recommendation

Should use assetId instead of collateralId for depositing into YieldBox in BBLeverage.sellcollateral function

Duplicate of #42

maarcweiss commented 5 months ago

Dup of #42

sherlock-admin2 commented 5 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

i believe its the intended behavior cuz its the same in buyCollateral