Incorrect implementation of Illuminate redeem
#320
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/redeemer/Redeemer.sol#L107-L128
Vulnerability details
Redeeming iPT via
redeem
will always fail. A griefer can burn token from any holder.Calling Illuminate
redeem
is supposed to burn iPT and transfer back the underlying token to the user. However, there are several issues with the current implementation:First, the
amount
is obtained by queryingmsg.sender
's balance. However, in the next step, it's token fromo
address that is being burned instead ofmsg.sender
.The final line should be a transfer of underlying token from Redeemer contract to the user. Instead it tries to transfer underlying token from Lender to this contract, which will always fail as Lender is not supposed to hold any underlying token.
This issue also opens up the possibility of griefing by sending the underlying token to Lender and calling redeem to burn iPT from any holder.
Proof of Concept
redeem
with Bob's address aso
.Recommended Mitigation Steps
Julian clarified that the function allows anyone to burn from any address, but the owner of the iPT themselves will receive the underlying tokens. Therefore, the code should be fixed so that it will query
o
(the token holder) and transfer the underlying token to them:As a side note, allowing anyone to burn and redeem the iPT of any holder could be dangerous in context of composability. Contracts that aren't aware of this mechanism might end up having funds stuck in them. For example, suppose there is a USDC-iPT/ETH Uniswap pool. When the iPT has matured and someone redeemed the iPT in the pool into USDC, the USDC will be stuck forever and LPs of the pool would lose fund.
Consider limiting
redeem
tomsg.sender
instead of allowing arbitrary redemption of any iPT holder.The text was updated successfully, but these errors were encountered: