Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
116 lines (82 loc) · 2.54 KB

139.md

File metadata and controls

116 lines (82 loc) · 2.54 KB
Raw

ctf_sec

medium

ISwivel(swivelAddr).initiate(o, a, s) return value not handled for Swivel lending in Lender.sol

Summary

ISwivel(swivelAddr).initiate(o, a, s) return value not handled for Swivel lending in Lender.sol

Vulnerability Detail

The swivel lending method is implemented below

uint256 received;
{
// Get the starting amount of principal tokens
uint256 startingZcTokens = IERC20(
    IMarketPlace(marketPlace).token(u, m, p)
).balanceOf(address(this));

// Fill the given orders on Swivel
ISwivel(swivelAddr).initiate(o, a, s);

if (e) {
    // Calculate the premium
    uint256 premium = IERC20(u).balanceOf(address(this)) -
        starting;

    // Swap the premium for Illuminate principal tokens
    swivelLendPremium(u, m, y, premium, premiumSlippage);
}

// Compute how many principal tokens were received
received =
    IERC20(IMarketPlace(marketPlace).token(u, m, p)).balanceOf(
        address(this)
    ) -
    startingZcTokens;
}

// Mint Illuminate principal tokens to the user
IERC5095(principalToken(u, m)).authMint(msg.sender, received);

note the line:

ISwivel(swivelAddr).initiate(o, a, s);

If we look into ISwivel interface, the code is

interface ISwivel {
    function initiate(
        Swivel.Order[] calldata,
        uint256[] calldata,
        Swivel.Components[] calldata
    ) external returns (bool);

clearly the return value is not handled.

Impact

Let us say, ISwivel(swivelAddr).initiate(o, a, s) return false, but we proceed,

and code goes to

// Compute how many principal tokens were received
received =
    IERC20(IMarketPlace(marketPlace).token(u, m, p)).balanceOf(
        address(this)
    ) -
    startingZcTokens;

the received amount would be 0,

we mint 0 principle token to user

  // Mint Illuminate principal tokens to the user
  IERC5095(principalToken(u, m)).authMint(msg.sender, received);

but the user transfer the "lent" amount of token before, which means the user loss fund.

// Lent represents the total amount of underlying to be lent
uint256 lent = swivelAmount(a);

// Transfer underlying token from user to Illuminate
Safe.transferFrom(IERC20(u), msg.sender, address(this), lent);

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L383-L436

Tool used

Manual Review

Recommendation

We recommend the protocol handle the return value for ISwivel(swivelAddr).initiate(o, a, s)

if(!ISwivel(swivelAddr).initiate(o, a, s)) {
 revert SwivelError();
}