Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
123 lines (91 loc) · 3.3 KB

141.md

File metadata and controls

123 lines (91 loc) · 3.3 KB
Raw

ctf_sec

high

Tempus depositAndFix function signature mismatch in Lender.sol

Summary

Tempus depositAndFix function signature mismatch in Lender.sol

Vulnerability Detail

The lending function for tempus is implemented below

// Get the Tempus Router from the principal token
address controller = ITempusPool(ITempusToken(principal).pool())
    .controller();

// Swap on the Tempus Router using the provided market and params
ITempus(controller).depositAndFix(x, lent, true, r, d);

note x is /// @param x Tempus AMM that executes the swap

We can look into the ITempus interface

interface ITempus {
    function depositAndFix(
        address,
        uint256,
        bool,
        uint256,
        uint256
    ) external;

if we refered to the deployed Tempus controller

https://etherscan.io/address/0xdb5fd0678eed82246b599da6bc36b56157e4bed8#code

The function for depositAndFix is

    /// @dev Atomically deposits YBT/BT to TempusPool and swaps TYS for TPS to get fixed yield
    ///      See https://docs.balancer.fi/developers/guides/single-swaps#swap-overview
    /// @param tempusAMM Tempus AMM to use to swap TYS for TPS
    /// @param tokenAmount Amount of YBT/BT to be deposited in underlying YBT/BT decimal precision
    /// @param isBackingToken specifies whether the deposited asset is the Backing Token or Yield Bearing Token
    /// @param minTYSRate Minimum exchange rate of TYS (denominated in TPS) to receive in exchange for TPS
    /// @param deadline A timestamp by which the transaction must be completed, otherwise it would revert
    function depositAndFix(
        ITempusAMM tempusAMM,
        uint256 tokenAmount,
        bool isBackingToken,
        uint256 minTYSRate,
        uint256 deadline
    ) external payable nonReentrant {

note the first parameter has type ITempusAMM, we just use address, in the interface.

Also looks like tempus is iteractively building new contract.

https://github.com/tempus-finance/fixed-income-protocol/blob/ae8426a94c602b1a0df34ded3589c70d16bf5aa9/contracts/TempusController.sol#L53

The function depositAndFix is very different

    function depositAndFix(
        ITempusAMM tempusAMM,
        ITempusPool tempusPool,
        ERC20PermitSignature[] calldata erc20Permits,
        uint256 tokenAmount,
        bool isBackingToken,
        uint256 minTYSRate,
        uint256 deadline,
        address referral
    ) external payable override nonReentrant returns (uint256, uint256) {

Impact

If the function signature mismatched in tempus contract, the lending function for tempus will not be working.

Code Snippet

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L655-L668

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/interfaces/ITempus.sol#L8-L16

Tool used

Manual Review

Recommendation

We recommend the project use the updated implementation for tempus controller function signature, and indeed please change from

interface ITempus {
    function depositAndFix(
        address,
        uint256,
        bool,
        uint256,
        uint256
    ) external;

to

interface ITempus {
    function depositAndFix(
        ITempusAMM tempusAMM,
        uint256,
        bool,
        uint256,
        uint256
    ) external;