-
Notifications
You must be signed in to change notification settings - Fork 0
IllIllI - The Notional version of lend()
can be used to lock iPTs
#15
Comments
Escalate for 5 USDC One of the bases for this vulnerability is that ERC5095 and INotional use the same deposit function signature function deposit(uint256 assets, address receiver) external override returns (uint256) { https://github.com/Swivel-Finance/illuminate/blob/main/src/tokens/ERC5095.sol#L197 function deposit(address r, uint256 a) external override returns (uint256) { This also means that the vulnerability cannot be exploited directly
There were assumptions in the report that were not valid at the time, so the report should be medium |
You've created a valid escalation for 5 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation rejected While Sherlock does not intend to award issues submitted based on anticipated code, this particular submission is considered unique for two reasons:
|
This issue's escalations have been rejected! Watsons who escalated this issue will have their escalation amount deducted from their next payout. |
Swivel-Finance/illuminate#20 |
IllIllI
high
The Notional version of
lend()
can be used to lock iPTsSummary
The Notional version of
lend()
can be used to lock extra iPTs in theLender
contractVulnerability Detail
The Notional version of
lend()
has no checks to ensure that the principal value,p
, passed in is for Notional, and therefore the Illuminate principal value can be passed in and used, which will allow callers to buy iPTs to theLender
contract (rather than Notional PTs), and then mint a second one to themselves when the iPT is minted at the end of the function.Impact
When the underlying is sold in the marketplace, the resulting iPT is given to the
Lender
contract, and there is no supported way to have those iPTs redeemed and their underlying released, which means when users try to redeem their own iPTs, there will be less underlying available than there should be, and they will have lost principal.Code Snippet
In the code block below, there are no checks that
p
is for notional, and the market-provided token for thatp
is used directly for depositing, and at the end of the function, more iPTs are minted:https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/Lender.sol#L875-L909
The
deposit()
function sells the underlying for iPTs, using the marketplace:https://github.com/sherlock-audit/2023-01-illuminate/blob/main/src/tokens/ERC5095.sol#L191-L197
NOTE:
INotional
is an ERC4626 token, and thedeposit()
function comes from that interface. While the Illuminate PT'sdeposit()
function has a different signature (the argument order is flipped), it's clear that this is a mistake that will be corrected as a part of this audit, since comments within thedeposit()
function itself refer to the need to be compliant with the ERC4626 standard, and discussions in the prior audit extensively mention that compliance was in fact necessary, and thedeposit()
function is not a part of the EIP-5095 standard.Tool used
Manual Review
Recommendation
Revert if
p
is notMarketPlace.Principals.Notional
The text was updated successfully, but these errors were encountered: