Lend() for swivel will run out of funds when filling orders #14
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L247-L305
Vulnerability details
Impact
lend will always fail if there is feenominator > 0 and there are not enough fees already in the contract to cover amount short
Proof of Concept
L297 transfers the "lent" amount calculated in L283
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L297
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L283
L299 makes the call to swivel with the full value of specified in the input a
https://github.com/code-423n4/2022-06-illuminate/blob/3ca41a9f529980b17fdc67baf8cbee5a8035afab/lender/Lender.sol#L299
Let feenominator be set to 100 (1% fee). Let a simply be [100]. Calculated in L283 lent = 100 - 1 = 99. L297 will only transfer 99 underlying token into the contract. It will then use 100 tokens in the subsequent call in L299 as specified by a. If there are not already enough tokens in the contract then the call in L299 will fail.
Tools Used
Recommended Mitigation Steps
L299 should transfer in the sum of a rather than the sum of (a[i] - fee)
The text was updated successfully, but these errors were encountered: