Fees should be paid by the user when lend()
to Swivel
#344
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L247-L305
Vulnerability details
L297,
lent
is the amount of underlyingToken transferFrom user's wallet.However,
lent
is the sum of amounts without the fees, see L275-583.This means the user wont be paying for the fees when they
lend()
to Swivel.Recommendation
Change to:
The text was updated successfully, but these errors were encountered: