Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

kenzo - ERC5095.redeem/withdraw do not work before token maturity #50

Closed
sherlock-admin opened this issue Nov 10, 2022 · 4 comments
Closed

kenzo - ERC5095.redeem/withdraw do not work before token maturity #50

sherlock-admin opened this issue Nov 10, 2022 · 4 comments
Labels
Duplicate

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Nov 10, 2022
edited by Evert0x
Loading

kenzo

low

ERC5095.redeem/withdraw do not work before token maturity

Summary

When trying to redeem before maturity,
both of these functions call marketplace.sellPrincipalToken, which tries to pull the PT from the sender.
But ERC5095 itself doesn't hold the PTs and doesn't pull them from the user.
Therefore the call will fail.

Vulnerability Detail

Detailed above.

Impact

Impaired functionality.
Assets can still be sold straight via Marketplace.

Code Snippet

For example we can see that redeem calls IMarketPlace(marketplace).sellPrincipalToken without pulling the PTs from the user:

    function redeem(uint256 s, address r, address o) external override returns (uint256) {
        // Pre-maturity
        if (block.timestamp < maturity) {
            uint128 assets = Cast.u128(previewRedeem(s));
            // If owner is the sender, sell PT without allowance check
            if (o == msg.sender) {
                uint128 returned = IMarketPlace(marketplace).sellPrincipalToken(...)

And sellPrincipalToken tries to pull the PTs from msg.sender:

        Safe.transferFrom(IERC20(address(pool.fyToken())), msg.sender, address(pool), a);

Since msg.sender is ERC5095 at that point, and ERC5095 didn't pull the tokens from the original sender, no tokens will be sent to the yield pool, and the redemption will fail.

Tool used

Manual Review

Recommendation

Pull the tokens from the user in ERC5095.redeem/withdraw.
(The flow can also be changed to make the process a little more efficient.)

Duplicate of #195
@KenzoAgada
Copy link

KenzoAgada commented Nov 22, 2022
edited
Loading

Escalate for 100 USDC
Clear duplicate of #195 .

@sherlock-admin
Copy link
Contributor Author

sherlock-admin commented Nov 22, 2022
edited
Loading

Escalate for 100 USDC
Clear duplicate of #195 .

You've created a valid escalation for 100 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@Evert0x
Copy link

Evert0x commented Nov 25, 2022

Escalation accepted

@sherlock-admin
Copy link
Contributor Author

Escalation accepted

This issue's escalations have been accepted!

Contestants' payouts and scores will be updated according to the changes made on this issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Evert0x @sherlock-admin @KenzoAgada