[M-02] transferring LESS funds from lender than needed #353
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L247-L305
Vulnerability details
Impact
Wrong accounting calculation may result in malfunctioning and loss of funds for the project.
Proof of Concept
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L281-L283
https://github.com/code-423n4/2022-06-illuminate/blob/912be2a90ded4a557f121fe565d12ec48d0c4684/lender/Lender.sol#L297
lend
functions the accounting is done as I described, the opposite of the current code.Recommended Mitigation Steps
I recommend doing the accounting like this:
Then
transferFrom
with correctedlent
(including the fees)initiate
swivel with the corrected amounts vectora
mint
onlyamountToMint
to the lender (sum of amounts minus the fees)The text was updated successfully, but these errors were encountered: