Illuminate contest - cryptphi's results

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/main/marketplace/ERC5095.sol#L108-L119 https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L275-L296

Vulnerability details

Impact

The ERC5095.redeem() allows the redeeming of Principal Tokens for Underlying Tokens to a receiver. When calling the the function, if the caller is not the holder of iPTs, then they can set a principalAmount that is larger than the allowance, allowing the receiver to receive more tokens that was approved by holder.

Proof of Concept

1. Assume market is matured and Bob (the holder) owns 500 iPTs has approved Alice to spend an allowance of 10 tokens.
2. Alice calls ERC5095.redeem() and inputs 100 tokens as principalAmount, her address as receiver and Bob's address as holder.
3. Redeemer.authRedeem() is called and 100 PT is burned from Bob's address and Alice receives 100 underlying tokens for the market.

Tools Used

Manual review

Recommended Mitigation Steps

The principalAmount argument should be less than or equals to the approved spend allowance.

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L206-L227 https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L240-L262 https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L107-L148 https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L158-L194

Vulnerability details

Impact

From the statement as documented in https://code4rena.com/contests/2022-06-illuminate-contest#redemption-specifics , lenders can redeem their capital with a redeem method on Redeemer.sol . However, there is no function or logic which actually ensures this can be performed.

All redeem() functions in Redeemer.sol redeem the PTs for their respective underlying token and keeps in the Redeemer contract, there is no provision for users to exchange for equivalent backing of underlying tokens except by using the authorized iPT EIP-5095 redeem method

Proof of Concept

All redeem() functions in Redeemer.sol call the redemption method for underlying token and they are held by Redeemer contract.

Tools Used

Manual review

Recommended Mitigation Steps

a function or logic that makes provision for users to be able to exchange for their underlying token directly.

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/main/redeemer/Redeemer.sol#L191-L194

Vulnerability details

Impact

The redeem method for Notional Protocol is incomplete, the else-if-statement only gets the amount to redeem but no redemption is made.

Proof of Concept

INotional(principal).maxRedeem(address(this)) outputs the the balance of the redeemer contract as seen in https://github.com/notional-finance/wrapped-fcash/blob/019cfa20369d5e0d9e7a38fea936cc649704780d/contracts/wfCashERC4626.sol#L90

Tools Used

Manual review

Recommended Mitigation Steps

An additional line to redeem the amount ouput.

Lines of code

https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L192-L235

Vulnerability details

Impact

The lend() function (line-192) for illuminate and yield principal tokens deduct a fee when purchasing the PTs but does not add the deducted fee to the accumulated fees for the token, which means Admin does not get fees for both illuminate and Yield PTs like it does on other PTs.

Proof of Concept

https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L219 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L229

Above lines deducted calculated fee, but not added to the mapped fees state variable.

Tools Used

Manual review

Recommended Mitigation Steps

Add the deducted fee to fees state variable.