Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

rvierdiiev - Marketplace.setPrincipal do not approve needed allowance for Element vault and APWine router #40

Open
sherlock-admin opened this issue Nov 10, 2022 · 3 comments
Open

rvierdiiev - Marketplace.setPrincipal do not approve needed allowance for Element vault and APWine router #40

sherlock-admin opened this issue Nov 10, 2022 · 3 comments
Labels
Disagree With Severity Has Duplicates Medium Sponsor Confirmed Will Fix

Comments

@sherlock-admin
Copy link
Contributor

rvierdiiev

medium

Marketplace.setPrincipal do not approve needed allowance for Element vault and APWine router

Summary

Marketplace.setPrincipal do not approve needed allowance for Element vault and APWine router

Vulnerability Detail

Marketplace.setPrincipal is used to provide principal token for the base token and maturity when it was not set yet. To set PT you also provide protocol that this token belongs to.

In case of APWine protocol there is special block of code to handle all needed allowance. But it is not enough.

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Marketplace.sol#L231-L236

        } else if (p == uint8(Principals.Apwine)) {
            address futureVault = IAPWineToken(a).futureVault();
            address interestBearingToken = IAPWineFutureVault(futureVault)
                .getIBTAddress();
            IRedeemer(redeemer).approve(interestBearingToken);
        } else if (p == uint8(Principals.Notional)) {

In Marketplace.createMarket function 2 more params are used to provide allowance of Lender for Element vault and APWine router.
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Marketplace.sol#L182
ILender(lender).approve(u, e, a, t[7]);

But in setPrincipal we don't have such params and allowance is not set. So Lender will not be able to work with that tokens correctly.

Impact

Lender will not provide needed allowance and protocol integration will fail.

Code Snippet

Provided above.

Tool used

Manual Review

Recommendation

Add 2 more params as in createMarket and call ILender(lender).approve(u, e, a, address(0));
@sherlock-admin sherlock-admin mentioned this issue Nov 10, 2022
Closed
@sourabhmarathe
Copy link

Suggested severity is Low on the grounds that we have an admin method that would allow us to handle these particular approvals. That being said, we will be implementing a fix based on this report.

@Evert0x
Copy link

Evert0x commented Nov 21, 2022

Issue will stay medium severity, although Illuminate is able to fix it using admin powers.. it's still a broken codebase that can potentially impact user funds.

@KenzoAgada KenzoAgada mentioned this issue Nov 23, 2022
Closed
@sourabhmarathe
Copy link

https://github.com/Swivel-Finance/illumigrate/pull/240

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Disagree With Severity Has Duplicates Medium Sponsor Confirmed Will Fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sourabhmarathe @Evert0x @sherlock-admin