Function lend
is not transfering in protocol fees
#291
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L641-L654
Vulnerability details
The function
lend
is calculating the total sum of tokens lent to swivel, as well as summing up the feestotalFee
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L278-L297
However, when it comes to transferring in the underlying, only
lent
is transferred in.Meaning that the contract will account for fees it didn't receive, breaking fees accounting for that token as well as unfairly making minting of the
principal
cheaper via this function callMitigation steps
Transfer in
lent + totalFee
Change
To
The text was updated successfully, but these errors were encountered: