-
Notifications
You must be signed in to change notification settings - Fork 0
IllIllI - Holders of worthless external PTs can stick other Illuminate PT holders with bad debts #119
Comments
In the event of insolvency, we expect the |
@sourabhmarathe there is no guarantee that the admin will be aware of the insolvency and do the manual step of pausing, before automated tools notice and take advantage of the issue |
This is generally the case with most integrations across most protocols, there is the chance of an atomic attack on multiple protocols preventing the pausing of markets after detection. So there arent immediately extremely easy solutions, that said specifically we have already implemented the recommended auditor remediation,
We do ensure that the protocol being used as a principal does not flag the |
The recommendation is to check whether the protocol itself is paused, not to check whether Illuminate has its own paused flag set |
Valid issue but downgrading to medium severity as the conditions are dependent on an external protocol their admin functions. |
Understood although this presupposes the idea that all of them can even be paused. Again, im unsure if this is a reasonable request, as you could submit the same exact report for every single sherlock audit and it would be equally valid for every single integration ever? Further, if there is an attack, the attacker would simply just attack illuminate before the external protocol can be paused, completely bypassing any checks and just leaving normal users paying more gas. It all just seems kind of unreasonable, especially as you add additional integrations to the stack (e.g. Illuminate -> Swivel -> Euler -> Lido, do we somehow check EACH of these before every transaction?) |
Escalate for 1 USDC Reminder @Evert0x |
You've created a valid escalation for 1 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
IllIllI
high
Holders of worthless external PTs can stick other Illuminate PT holders with bad debts
Summary
Holders of worthless external PTs can stick other Illuminate PT holders with bad debts
Vulnerability Detail
Some of the supported external PTs can pause their activity. One such PT, Pendle, not only can pause activity, but can turn on emergency mode where the admin can transfer the underlying tokens to an arbitrary contract for safekeeping until they decide what to do with the funds. The Illuminate code does not handle such cases, and in fact, if the Pendle protocol is in emergency mode, will still allow users to convert their possibly worthless Pendle PTs to Illuminate ones.
While there is a mechanism for the Illuminate admin to pause a market, there's no guarantee that the Illuminate admin will notice the Pendle pause before other users, and even if they do, it's possible that users have automation set up to front-run such pauses for Pendle markets, so that they never are stuck with worthless tokens.
Impact
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Other users that deposited principal in the form of external PTs (e.g. by minting Illuminate PTs in order to be pool liquidity providers) that have actual value, will have their shares of available underlying diluted by Pendle PTs that cannot be redeemed. Illuminate PTs are on a per-share basis rather than a one-for-one basis, so the less underlying there is at redemption time, the less underlying every Illuminate PT holder gets.
Code Snippet
There are no checks that the protocol of the external PT is paused or has any value:
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L270-L288
Redemptions of Illuminate PTs for underlyings is based on shares of each Illuminate PT's
totalSupply()
of the available underlying, not the expect underlying total:https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L422
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L464
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Redeemer.sol#L517
Tool used
Manual Review
Recommendation
Ensure that the protocol being used as principal is not paused before allowing minting
The text was updated successfully, but these errors were encountered: