Missing slippage protection in PendlePrincipalToken:redeemPT
Summary
When redeeming PT there is no slippage protection in PendlePrincipalToken:redeemPT - line 137 in PendlePrincipalToken.sol.
Vulnerability Detail
When redeeming principal token (PT) the function PendlePrincipalToken:redeemPT fetches netTokenOut (line 137 PendlePrincipalToken.sol) without slippage protection, since 0 is passed into the minTokenOut param - see the docs for the function params for IStandardizedYield:redeem line 244 in IPendle.sol.
PendlePrincipalToken:_executeInstantRedemption is calling the PendlePrincipalToken:_redeemPT function, and if the TOKEN_OUT_SY is the BORROW_TOKEN then there will be no slippage protection inside the else branch on line 163 PendlePrincipalToken.sol.
PendlePrincipalToken:_initiateWithdrawImpl is also calling PendlePrincipalToken:_redeemPT function and then using the return value and storing it to the WithdrawRequest (line 178-181 PendlePrincipalToken.sol).
When an account withdraws/exits from the vault, there is no slippage protection applied for redeeming PT. Thus victims might be subject of an attacker who is performing a sandwich attack, causing the victim to suffer a loss.
Consider implementing slippage protection inside PendlePrincipalToken:_executeInstantRedemption for the case where TOKEN_OUT_SY is the BORROW_TOKEN (line 163 PendlePrincipalToken.sol).
Consider implementing slippage protection for the redeemed PT when a withdraw request is initiated inside PendlePrincipalToken:_initiateWithdrawImpl.
lemonmon
Medium
Missing slippage protection in
PendlePrincipalToken:redeemPT
Summary
When redeeming PT there is no slippage protection in
PendlePrincipalToken:redeemPT
- line 137 in PendlePrincipalToken.sol.Vulnerability Detail
When redeeming principal token (PT) the function
PendlePrincipalToken:redeemPT
fetchesnetTokenOut
(line 137 PendlePrincipalToken.sol) without slippage protection, since 0 is passed into theminTokenOut
param - see the docs for the function params forIStandardizedYield:redeem
line 244 in IPendle.sol.PendlePrincipalToken:_executeInstantRedemption
is calling thePendlePrincipalToken:_redeemPT
function, and if theTOKEN_OUT_SY
is theBORROW_TOKEN
then there will be no slippage protection inside the else branch on line 163 PendlePrincipalToken.sol.PendlePrincipalToken:_initiateWithdrawImpl
is also callingPendlePrincipalToken:_redeemPT
function and then using the return value and storing it to the WithdrawRequest (line 178-181 PendlePrincipalToken.sol).Function trace:
BaseStakingVault:initiateWithdraw -> WithdrawRequestBase:_initiateWithdraw -> PendlePrincipalToken:_initiateWithdrawImpl
Impact
When an account withdraws/exits from the vault, there is no slippage protection applied for redeeming PT. Thus victims might be subject of an attacker who is performing a sandwich attack, causing the victim to suffer a loss.
Code Snippet
https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/14d3eaf0445c251c52c86ce88a84a3f5b9dfad94/leveraged-vaults-private/contracts/vaults/staking/protocols/PendlePrincipalToken.sol#L124-L138
Tool used
Manual Review
Recommendation
Consider implementing slippage protection inside
PendlePrincipalToken:_executeInstantRedemption
for the case whereTOKEN_OUT_SY
is theBORROW_TOKEN
(line 163 PendlePrincipalToken.sol).Consider implementing slippage protection for the redeemed PT when a withdraw request is initiated inside
PendlePrincipalToken:_initiateWithdrawImpl
.Duplicate of #70