Missing slippage protection in PendlePrincipalToken:redeemPT
Summary
When redeeming PT there is no slippage protection in PendlePrincipalToken:redeemPT - line 137 in PendlePrincipalToken.sol.
Vulnerability Detail
When redeeming principal token (PT) the function PendlePrincipalToken:redeemPT fetches netTokenOut (line 137 PendlePrincipalToken.sol) without slippage protection, since 0 is passed into the minTokenOut param - see the docs for the function params for IStandardizedYield:redeem line 244 in IPendle.sol.
PendlePrincipalToken:_executeInstantRedemption is calling the PendlePrincipalToken:_redeemPT function, and if the TOKEN_OUT_SY is the BORROW_TOKEN then there will be no slippage protection inside the else branch on line 163 PendlePrincipalToken.sol.
PendlePrincipalToken:_initiateWithdrawImpl is also calling PendlePrincipalToken:_redeemPT function and then using the return value and storing it to the WithdrawRequest (line 178-181 PendlePrincipalToken.sol).
When an account withdraws/exits from the vault, there is no slippage protection applied for redeeming PT. Thus victims might be subject of an attacker who is performing a sandwich attack, causing the victim to suffer a loss.
Consider implementing slippage protection inside PendlePrincipalToken:_executeInstantRedemption for the case where TOKEN_OUT_SY is the BORROW_TOKEN (line 163 PendlePrincipalToken.sol).
Consider implementing slippage protection for the redeemed PT when a withdraw request is initiated inside PendlePrincipalToken:_initiateWithdrawImpl.
lemonmon
Medium
Missing slippage protection in
PendlePrincipalToken:redeemPTSummary
When redeeming PT there is no slippage protection in
PendlePrincipalToken:redeemPT- line 137 in PendlePrincipalToken.sol.Vulnerability Detail
When redeeming principal token (PT) the function
PendlePrincipalToken:redeemPTfetchesnetTokenOut(line 137 PendlePrincipalToken.sol) without slippage protection, since 0 is passed into theminTokenOutparam - see the docs for the function params forIStandardizedYield:redeemline 244 in IPendle.sol.PendlePrincipalToken:_executeInstantRedemptionis calling thePendlePrincipalToken:_redeemPTfunction, and if theTOKEN_OUT_SYis theBORROW_TOKENthen there will be no slippage protection inside the else branch on line 163 PendlePrincipalToken.sol.PendlePrincipalToken:_initiateWithdrawImplis also callingPendlePrincipalToken:_redeemPTfunction and then using the return value and storing it to the WithdrawRequest (line 178-181 PendlePrincipalToken.sol).Function trace:
BaseStakingVault:initiateWithdraw -> WithdrawRequestBase:_initiateWithdraw -> PendlePrincipalToken:_initiateWithdrawImplImpact
When an account withdraws/exits from the vault, there is no slippage protection applied for redeeming PT. Thus victims might be subject of an attacker who is performing a sandwich attack, causing the victim to suffer a loss.
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/14d3eaf0445c251c52c86ce88a84a3f5b9dfad94/leveraged-vaults-private/contracts/vaults/staking/protocols/PendlePrincipalToken.sol#L124-L138
Tool used
Manual Review
Recommendation
Consider implementing slippage protection inside
PendlePrincipalToken:_executeInstantRedemptionfor the case whereTOKEN_OUT_SYis theBORROW_TOKEN(line 163 PendlePrincipalToken.sol).Consider implementing slippage protection for the redeemed PT when a withdraw request is initiated inside
PendlePrincipalToken:_initiateWithdrawImpl.Duplicate of #70