Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Jeiwan - User can accidentally burn their iPT tokens during redemption #222

Open
sherlock-admin opened this issue Nov 10, 2022 · 3 comments
Open

Jeiwan - User can accidentally burn their iPT tokens during redemption #222

sherlock-admin opened this issue Nov 10, 2022 · 3 comments
Labels
Duplicate High Sponsor Disputed

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 10, 2022
edited by Evert0x
Loading

Jeiwan

high

User can accidentally burn their iPT tokens during redemption

Summary

User can accidentally burn their iPT tokens during redemption

Vulnerability Detail

The redeem function that redeems iPT tokens burns iPT tokens even when the holdings mapping is empty and the redeemed amount is 0 (Redeemer.sol#L403-L434).

Impact

A user can accidentally call the redeem function after maturity but before the other redeem function is called (the one that burns external PT tokens–they have identical names). User's iPT tokens will be burned and no underlying tokens will be sent in exchange.

Code Snippet

Redeemer.sol#L403:

function redeem(address u, uint256 m) external unpaused(u, m) {
    // Get Illuminate's principal token for this market
    IERC5095 token = IERC5095(
        IMarketPlace(marketPlace).token(
            u,
            m,
            uint8(MarketPlace.Principals.Illuminate)
        )
    );

    // Verify the token has matured
    if (block.timestamp < token.maturity()) {
        revert Exception(7, block.timestamp, m, address(0), address(0));
    }

    // Get the amount of tokens to be redeemed from the sender
    uint256 amount = token.balanceOf(msg.sender);

    // Calculate how many tokens the user should receive
    uint256 redeemed = (amount * holdings[u][m]) / token.totalSupply();

    // Update holdings of underlying
    holdings[u][m] = holdings[u][m] - redeemed;

    // Burn the user's principal tokens
    // @audit burns iPT tokens even if  the holdings mapping is empty
    token.authBurn(msg.sender, amount);

    // Transfer the original underlying token back to the user
    Safe.transfer(IERC20(u), msg.sender, redeemed);

    emit Redeem(0, u, m, redeemed, msg.sender);
}

Tool used

Manual Review

Recommendation

Consider disallowing calling the second redeem function (the one that redeems iPT tokens) before the first redeem function (the one that redeems external PT tokens) is called.

Duplicate of #81
@sourabhmarathe
Copy link

Input validation is not within the scope of the audit. We expect to use other resources to ensure that users are executing the redemptions properly outside of the smart contract.

@JTraversa
Copy link

Duplicate of #239

@JTraversa JTraversa marked this as a duplicate of #239 Nov 15, 2022
@Evert0x Evert0x closed this as completed Nov 15, 2022
@Evert0x Evert0x mentioned this issue Nov 25, 2022
Open
@Evert0x Evert0x reopened this Nov 25, 2022
@Evert0x
Copy link

Evert0x commented Nov 25, 2022

Not a duplicate of #239 but of #81

@github-actions github-actions bot mentioned this issue Jan 16, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate High Sponsor Disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sourabhmarathe @Evert0x @JTraversa @sherlock-admin