Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

duc - Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process #634

Closed
sherlock-admin opened this issue Aug 30, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 30, 2023

duc

high

Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process

Summary

Please refer to the Detailed Description section for insights.

Vulnerability Detail

The task of executing the liquidation process is assigned to the function LiquidationRow._performLiquidation().

function _performLiquidation(
    uint256 gasBefore,
    address fromToken,
    address asyncSwapper,
    IDestinationVault[] memory vaultsToLiquidate,
    SwapParams memory params,
    uint256 totalBalanceToLiquidate,
    uint256[] memory vaultsBalances
) private {
    uint256 length = vaultsToLiquidate.length;
    // The swapper ensures the received amount is greater or equal to params.buyAmount
    uint256 amountReceived = IAsyncSwapper(asyncSwapper).swap(params);

    ...

The initial step of the liquidation process involves invoking the swapper contract to conduct a token swap against the target token, as outlined in the README. This is achieved through an external call to asyncSwapper.swap().

function swap(SwapParams memory swapParams) public virtual nonReentrant returns (uint256 buyTokenAmountReceived) {
    ...

    uint256 sellTokenBalance = sellToken.balanceOf(address(this));

    if (sellTokenBalance < swapParams.sellAmount) {
        revert InsufficientBalance(sellTokenBalance, swapParams.sellAmount);
    }

    LibAdapter._approve(sellToken, AGGREGATOR, swapParams.sellAmount);

    ...
}

Upon inspecting the BaseAsyncSwapper.swap() function, it is evident that the sender is required to provide swapParams.sellToken to the BaseAsyncSwapper contract before invoking the function. However, the crucial step of transferring params.sellAmount of params.sellToken from the LiquidationRow to the asyncSwapper is absent in the LiquidationRow.liquidateVaultsForToken() function.

==> This omission leads to the accumulation of rewards within the LiquidationRow contract, effectively causing them to become frozen.

Impact

Accumulated rewards may become trapped within the LiquidationRow contract.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/LiquidationRow.sol#L251
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/liquidation/BaseAsyncSwapper.sol#L19-L65

Tool used

Manual Review

Recommendation

Before invoking asyncSwapper.swap(), ensure the transfer of params.sellAmount of params.sellToken to the asyncSwapper.

Duplicate of #205

@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin2 sherlock-admin2 changed the title Modern Iris Lemur - Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process duc - Absence of params.sellToken transfer from LiquidationRow to asyncSwapper during liquidation process Oct 3, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Development

No branches or pull requests

2 participants