ctf_sec
medium
ISwivel(swivelAddr).initiate(o, a, s) return value not handled for Swivel lending in Lender.sol
The swivel lending method is implemented below
uint256 received;
{
// Get the starting amount of principal tokens
uint256 startingZcTokens = IERC20(
IMarketPlace(marketPlace).token(u, m, p)
).balanceOf(address(this));
// Fill the given orders on Swivel
ISwivel(swivelAddr).initiate(o, a, s);
if (e) {
// Calculate the premium
uint256 premium = IERC20(u).balanceOf(address(this)) -
starting;
// Swap the premium for Illuminate principal tokens
swivelLendPremium(u, m, y, premium, premiumSlippage);
}
// Compute how many principal tokens were received
received =
IERC20(IMarketPlace(marketPlace).token(u, m, p)).balanceOf(
address(this)
) -
startingZcTokens;
}
// Mint Illuminate principal tokens to the user
IERC5095(principalToken(u, m)).authMint(msg.sender, received);
note the line:
ISwivel(swivelAddr).initiate(o, a, s);
If we look into ISwivel interface, the code is
interface ISwivel {
function initiate(
Swivel.Order[] calldata,
uint256[] calldata,
Swivel.Components[] calldata
) external returns (bool);
clearly the return value is not handled.
Let us say, ISwivel(swivelAddr).initiate(o, a, s) return false, but we proceed,
and code goes to
// Compute how many principal tokens were received
received =
IERC20(IMarketPlace(marketPlace).token(u, m, p)).balanceOf(
address(this)
) -
startingZcTokens;
the received amount would be 0,
we mint 0 principle token to user
// Mint Illuminate principal tokens to the user
IERC5095(principalToken(u, m)).authMint(msg.sender, received);
but the user transfer the "lent" amount of token before, which means the user loss fund.
// Lent represents the total amount of underlying to be lent
uint256 lent = swivelAmount(a);
// Transfer underlying token from user to Illuminate
Safe.transferFrom(IERC20(u), msg.sender, address(this), lent);
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L383-L436
Manual Review
We recommend the protocol handle the return value for ISwivel(swivelAddr).initiate(o, a, s)
if(!ISwivel(swivelAddr).initiate(o, a, s)) {
revert SwivelError();
}