Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

Ch_301 - liquidateVaultsForToken() is not transferring the funds for the swap in asyncSwapper #381

Closed
sherlock-admin2 opened this issue Aug 29, 2023 · 0 comments
Closed

Ch_301 - liquidateVaultsForToken() is not transferring the funds for the swap in asyncSwapper #381

sherlock-admin2 opened this issue Aug 29, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 29, 2023
edited by sherlock-admin
Loading

Ch_301

medium

liquidateVaultsForToken() is not transferring the funds for the swap in asyncSwapper

Summary

LiquidationRow.liquidateVaultsForToken() is not transferring the funds for the swap.

Vulnerability Detail

LIQUIDATOR invokes LiquidationRow.liquidateVaultsForToken().
one of the things that need to be done here is initiating the swap process via the asyncSwapper. by sub call to LiquidationRow._performLiquidation()

File: LiquidationRow.sol
240:     function _performLiquidation(
...
243:         address asyncSwapper,
244:         IDestinationVault[] memory vaultsToLiquidate,
245:         SwapParams memory params,
...
248:     ) private {
249:         uint256 length = vaultsToLiquidate.length;
250:         // the swapper checks that the amount received is greater or equal than the params.buyAmount
251:         uint256 amountReceived = IAsyncSwapper(asyncSwapper).swap(params);

the asyncSwapper needs to receive the funds from LiquidationRow.sol first, because it need to set the approval for the AGGREGATOR.

File: BaseAsyncSwapper.sol
19:     function swap(SwapParams memory swapParams) public virtual nonReentrant returns (uint256 buyTokenAmountReceived) {
...
24: 
25:         IERC20 sellToken = IERC20(swapParams.sellTokenAddress);
26:         IERC20 buyToken = IERC20(swapParams.buyTokenAddress);
27: 
28:         uint256 sellTokenBalance = sellToken.balanceOf(address(this));
29: 
30:         if (sellTokenBalance < swapParams.sellAmount) {
31:             revert InsufficientBalance(sellTokenBalance, swapParams.sellAmount);
32:         }
33: 
34:         LibAdapter._approve(sellToken, AGGREGATOR, swapParams.sellAmount);
...
41:         (bool success,) = AGGREGATOR.call(swapParams.data);
...

otherways it will revert with InsufficientBalance(...)

Impact

  • LIQUIDATOR is not able to call LiquidationRow.liquidateVaultsForToken().
  • Rewards are not aggregated
  • Rewards will stack forever in e.g:AURA, CONVEX
  • LMP Vault will never receive rewards

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19-L34

Tool used

Manual Review

Recommendation

Transfer the funds (swapParams.sellTokenAddress) to asyncSwapper first.

Duplicate of #205
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin sherlock-admin changed the title Formal Magenta Okapi - liquidateVaultsForToken() is not transferring the funds for the swap in asyncSwapper Ch_301 - liquidateVaultsForToken() is not transferring the funds for the swap in asyncSwapper Oct 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2