Swivel lend method doesn't pull protocol fee from user #201
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L297
Vulnerability details
The Swivel
lend
method adds tofees[u]
the order fee, but does not pull that fee from the user. It only pulls the order-post-fee amount.Impact
withdrawFee
will fail, as it tries to transfer more tokens than are in the contract.Proof of Concept
The Swivel
lend
method sums up the fees tototalFee
, and the amount to send to Swivel inlent
:It then increments
fees[u]
bytotalFee
, but only pulls from the userlent
:Therefore,
totalFee
has not been pulled from the user.The
fees
variable now includes tokens which are not in the contract, andwithdrawFee
will fail as it tries to transferfees[u]
.Recommended Mitigation Steps
Pull
lent + totalFee
from the user.The text was updated successfully, but these errors were encountered: