Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $55,000 USDC
Total HM: 29
Participants: 88
Period: 5 days
Judge: gzeon
Total Solo HM: 7
Id: 134
League: ETH
Rank: 27/88
Findings: 3
Award: $435.11
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: Picodes
Also found by: Chom, Lambda, auditor0517, cryptphi, csanuragjain, hansfriese, hyh, kenzo, kirk-baird, pashov, unforgiven, zer0dot
82.1689 USDC - $82.17
Funds may be stuck when redeeming for Illuminate.
Assuming the goal of calling redeem for Illuminate here is to redeem the Illuminate principal held by the lender or the redeemer, then there is an issue because the wrong balance is checked. So if no msg.sender has a positive balance funds will be lost.
Now assuming the goal of calling redeem for Illuminate here is for users to redeem their Illuminate principal and receive the underlying as suggested by this comment, then the underlying is not sent back to users because Safe.transferFrom(IERC20(u), lender, address(this), amount); send the funds to the redeemer, not the user.
Clarify the purpose of this function and fix the corresponding bug.
When redeeming from APWine and Tempus here, the principal token is not transferred to the redeemer, so may be stuck on the lender contract.
Instead of Safe.transferFrom(IERC20(u), lender, address(this), amount); it should be Safe.transferFrom(IERC20(principal), lender, address(this), amount);
#0 - KenzoAgada
2022-06-28T14:03:01Z
Duplicate of #268
🌟 Selected for report: defsec
Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, Bnke0x0, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, GimelSec, IllIllI, JC, Kenshin, Kulk0, Lambda, Limbooo, MadWookie, Metatron, Picodes, Soosh, StErMi, TomJ, WatchPug, Waze, Yiko, _Adam, ak1, asutorufos, aysha, bardamu, catchup, datapunk, delfin454000, dipp, fatherOfBlocks, grGred, hake, hansfriese, hyh, joestakey, kebabsec, kenzo, kirk-baird, oyc_109, pashov, poirots, rfa, robee, saian, sashik_eth, shenwilly, simon135, slywaters, z3s, zeesaw, zer0dot
65.8003 USDC - $65.80
Here, since Solidity 0.8.8, you can use type(uint256).max.
Check https://github.com/ethereum/solidity/blob/develop/Changelog.md#088-2021-09-27
Here, avaialable -> available
Here, prinicipal -> principal
The code interact with various protocols and is already quite complicated, no need to obfuscate it with unreadable variable names such as u, n, m,
When redeeming Illuminate's token, the underlying is not sent back to the user, like said in the previous comment. So reading this function code is misleading and may lead to a user calling it.