Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cergyk - BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees #46

Closed
sherlock-admin4 opened this issue Mar 15, 2024 · 1 comment
Closed

cergyk - BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees #46

sherlock-admin4 opened this issue Mar 15, 2024 · 1 comment
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Mar 15, 2024
edited by sherlock-admin3
Loading

cergyk

medium

BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees

Summary

BaseLeverageExecutor::_swapAndTransferToSender does not account for fees which can be incurred when wrapping a TOFT. This will cause some calls in LeverageExecutors to systematically revert.

Vulnerability Detail

BaseLeverageExecutor::_swapAndTransferToSender implicitely considers that when wrapping, we get 1:1 TOFT token with regards to underlying:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/leverage/BaseLeverageExecutor.sol#L154

It returns amountOut which is also the input to _handleToftWrapToSender.

However we can see that wrapping can incur some fees in some cases:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/mTOFT.sol#L300

This will cause BBLeverage/SGLLeverage functions buyCollateral and sellCollateral to revert due to insufficient balance

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/leverage/SimpleLeverageExecutor.sol#L60

https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/bigBang/BBLeverage.sol#L144-L149

Impact

buyCollateral and sellCollateral will always revert for TOFT tokens having a minting fee

Code Snippet

Tool used

Manual Review

Recommendation

In _swapAndTransferToSender, one should get the actual amount obtained from wrapping:

    if (swapData.toftInfo.isTokenOutToft) {
-       _handleToftWrapToSender(sendBack, tokenOut, amountOut);
+       uint balanceBefore = IERC20(tokenOut).balanceOf(address(this));
+       _handleToftWrapToSender(sendBack, tokenOut, amountOut);
+       uint balanceAfter = IERC20(tokenOut).balanceOf(address(this));
+       amountOut = balanceBefore - balanceAfter;
    } else if (sendBack == true) {

Duplicate of #126
@sherlock-admin2 sherlock-admin2 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 16, 2024
@cryptotechmaker cryptotechmaker mentioned this issue Mar 16, 2024
Open
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Mar 20, 2024
@sherlock-admin3
Copy link
Contributor

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

in general; yest; it points the issue; but the report is flawed and just saying due to fees the txn will revert is not enough and it lacks details of how taking fees actually makes the transaction to revert

@sherlock-admin3 sherlock-admin3 changed the title Modern Mandarin Wasp - BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees cergyk - BaseLeverageExecutor::_swapAndTransferToSender will return wrong amount if TOFT wrapping has fees Mar 31, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Mar 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4