-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
duc - SGLLeverage.sellCollateral
calls _repay
with the skim parameter set to false.
#60
Comments
SGLLeverage.sellCollateral
calls _repay
with the skim parameter set to false.SGLLeverage.sellCollateral
calls _repay
with the skim parameter set to false.
Escalate |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
I tend to agree in part with the escalation. This is not a duplicate of #141, but a duplicate of #139 (and #57, respectively). The root of the problem is the same, the user's funds are mistakenly pulled twice. If we look at issue #57 we can even see that everything is the same, only the functions are different. In one case it is If I have to make an analogy for why they should be duplicates, imagine that we have This is from the Sherlock documentation: "In case the same vulnerability appears across multiple places in different contracts, they can be considered duplicates." I also think it should remain Medium because the loss is limited only to the allowance the user has. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
duc
high
SGLLeverage.sellCollateral
calls_repay
with the skim parameter set to false.Summary
See vulnerability detail.
Vulnerability Detail
In
SGLLeverage.sellCollateral
function, after collecting assets and depositing them into YieldBox, this function attempt to repay user's loan by using the obtain asset shares.However, it calls
_repay
with theskim
parameter set to false, resulting in the user's funds being pulled during theSGLLendingCommon._repay()
function. This means that even though the necessary asset shares were collected by the contract, it still attempts to mistakenly pull from the user for repayment.Impact
If users have enough allowance and balance for Singularity market, they will experience a loss of funds when using
SGLLeverage.sellCollateral
.Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/Tapioca-bar/contracts/markets/singularity/SGLLeverage.sol#L141-L146
Tool used
Manual Review
Recommendation
Should call
_repay
with skim parameter set to trueDuplicate of #139
The text was updated successfully, but these errors were encountered: