You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process
Summary
Please refer to the Detailed Description section for insights.
Vulnerability Detail
The task of executing the liquidation process is assigned to the function LiquidationRow._performLiquidation().
function _performLiquidation(
uint256 gasBefore,
address fromToken,
address asyncSwapper,
IDestinationVault[] memory vaultsToLiquidate,
SwapParams memory params,
uint256 totalBalanceToLiquidate,
uint256[] memory vaultsBalances
) private {
uint256 length = vaultsToLiquidate.length;
// The swapper ensures the received amount is greater or equal to params.buyAmount
uint256 amountReceived = IAsyncSwapper(asyncSwapper).swap(params);
...
The initial step of the liquidation process involves invoking the swapper contract to conduct a token swap against the target token, as outlined in the README. This is achieved through an external call to asyncSwapper.swap().
function swap(SwapParams memory swapParams) public virtual nonReentrant returns (uint256 buyTokenAmountReceived) {
...
uint256 sellTokenBalance = sellToken.balanceOf(address(this));
if (sellTokenBalance < swapParams.sellAmount) {
revert InsufficientBalance(sellTokenBalance, swapParams.sellAmount);
}
LibAdapter._approve(sellToken, AGGREGATOR, swapParams.sellAmount);
...
}
Upon inspecting the BaseAsyncSwapper.swap() function, it is evident that the sender is required to provide swapParams.sellToken to the BaseAsyncSwapper contract before invoking the function. However, the crucial step of transferring params.sellAmount of params.sellToken from the LiquidationRow to the asyncSwapper is absent in the LiquidationRow.liquidateVaultsForToken() function.
==> This omission leads to the accumulation of rewards within the LiquidationRow contract, effectively causing them to become frozen.
Impact
Accumulated rewards may become trapped within the LiquidationRow contract.
sherlock-admin2
changed the title
Modern Iris Lemur - Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process
duc - Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
duc
high
Absence of
params.sellToken
transfer fromLiquidationRow
toasyncSwapper
during liquidation processSummary
Please refer to the Detailed Description section for insights.
Vulnerability Detail
The task of executing the liquidation process is assigned to the function
LiquidationRow._performLiquidation()
.The initial step of the liquidation process involves invoking the swapper contract to conduct a token swap against the target token, as outlined in the README. This is achieved through an external call to
asyncSwapper.swap()
.Upon inspecting the
BaseAsyncSwapper.swap()
function, it is evident that the sender is required to provideswapParams.sellToken
to theBaseAsyncSwapper
contract before invoking the function. However, the crucial step of transferringparams.sellAmount
ofparams.sellToken
from theLiquidationRow
to theasyncSwapper
is absent in theLiquidationRow.liquidateVaultsForToken()
function.==> This omission leads to the accumulation of rewards within the
LiquidationRow
contract, effectively causing them to become frozen.Impact
Accumulated rewards may become trapped within the
LiquidationRow
contract.Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/LiquidationRow.sol#L251
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19-L65
Tool used
Manual Review
Recommendation
Before invoking
asyncSwapper.swap()
, ensure the transfer ofparams.sellAmount
ofparams.sellToken
to theasyncSwapper
.Duplicate of #205
The text was updated successfully, but these errors were encountered: