Platform: Code4rena
Start Date: 05/05/2022
Pot Size: $125,000 DAI
Total HM: 17
Participants: 62
Period: 14 days
Judge: leastwood
Total Solo HM: 15
Id: 120
League: ETH
Rank: 10/62
Findings: 1
Award: $6,389.44
🌟 Selected for report: 1
🚀 Solo Findings: 1
🌟 Selected for report: CertoraInc
6389.4401 DAI - $6,389.44
https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/adapters/fuse/FuseTokenAdapterV1.sol#L76 https://github.com/code-423n4/2022-05-alchemix/blob/de65c34c7b6e4e94662bf508e214dcbf327984f4/contracts-full/adapters/fuse/FuseTokenAdapterV1.sol#L98
the code is doing wrong check, so when things will work it will revert.
In the function wrap() there is this lines:
if ((error = ICERC20(token).mint(amount)) != NO_ERROR) { revert FuseError(error); }
but mint returns the amount that minted, so when error = amount the check will fail even though it worked good.
Same in unwrap:
if ((error = ICERC20(token).redeem(amount)) != NO_ERROR) { revert FuseError(error); }
the redeem returns the amount.
I recommend to change the lines like this:
in wrap:
if ((error = ICERC20(token).mint(amount)) != amount) { revert FuseError(error); }
and in unwrap:
if ((error = ICERC20(token).redeem(amount)) != amount) { revert FuseError(error); }
#0 - 0xfoobar
2022-05-22T21:31:04Z
Sponsor confirmed.
This would not cause any loss of user funds because the deposit function would revert, but it is a needed fix in the Fuse Adapter. So recommend a lower severity.
#1 - 0xleastwood
2022-06-03T17:23:53Z
As no assets are at risk, medium risk seems correct because only the availability of the protocol is impacted.