Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

IllIllI - Users can mint free Illuminate PTs if underlying decimals don't match external PTs #120

Open
sherlock-admin opened this issue Nov 10, 2022 · 1 comment
Open

IllIllI - Users can mint free Illuminate PTs if underlying decimals don't match external PTs #120

sherlock-admin opened this issue Nov 10, 2022 · 1 comment
Labels
High Sponsor Confirmed Will Fix

Comments

@sherlock-admin
Copy link
Contributor

IllIllI

high

Users can mint free Illuminate PTs if underlying decimals don't match external PTs

Summary

Users can mint free Illuminate PTs if underlying decimals don't match external PTs

Vulnerability Detail

The Illuminate PTs always match the decimals of the underlying, but when external PTs are used for minting Illuminate PTs, the amount minted is not adjusted for the differences in decimals.

Impact

Users can inflate away the value of Illuminate PTs by minting using external PTs with different decimals than the underlying

Code Snippet

There are no conversions based on decimals - one input external PT results in one Illuminate PT:

// File: src/Lender.sol : Lender.mint()   #1

270        function mint(
271            uint8 p,
272            address u,
273            uint256 m,
274            uint256 a
275        ) external unpaused(u, m, p) returns (bool) {
276            // Fetch the desired principal token
277            address principal = IMarketPlace(marketPlace).token(u, m, p);
278    
279            // Transfer the users principal tokens to the lender contract
280            Safe.transferFrom(IERC20(principal), msg.sender, address(this), a);
281    
282            // Mint the tokens received from the user
283            IERC5095(principalToken(u, m)).authMint(msg.sender, a);
284    
285            emit Mint(p, u, m, a);
286    
287            return true;
288:       }

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L270-L288

For example, Swivel tokens are all locked at 18 decimals, Pendle uses the decimals of the yield token (e.g. cDai) rather than the decimals of the underlying, and (Notional)[https://github.com/notional-finance/wrapped-fcash/blob/ad5c145d9988eeee6e36cf93cc3412449e4e7eba/contracts/wfCashBase.sol#L103] locks the decimals to 8.

Tool used

Manual Review

Recommendation

Convert the decimals of the PT to those of the underlying, and adjust the number of Illuminate PTs minted based on that conversion
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
High Sponsor Confirmed Will Fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sourabhmarathe @sherlock-admin