IllIllI - The Pendle version of `lend()` uses the wrong function for swapping fee-on-transfer tokens

Question

IllIllI - The Pendle version of `lend()` uses the wrong function for swapping fee-on-transfer tokens

Opened this issue 2 years ago · 4 comments

sherlock-admin commented 2 years ago

IllIllI

medium

The Pendle version of `lend()` uses the wrong function for swapping fee-on-transfer tokens

Summary

The Pendle version of lend() uses the wrong function for swapping fee-on-transfer tokens

Vulnerability Detail

The Pendle version of lend() is not able to handle fee-on-transfer tokens properly (USDT is a fee-on-transfer token which is supported) and pulls out the contract's fee balance (I've filed this issue separately). Once that is fixed there still is the fact that the Pendle version uses the wrong Sushiswap function (the Pendle router is a Sushiswap router). The function uses swapExactTokensForTokens() when it should use swapExactTokensForTokensSupportingFeeOnTransferTokens() instead.

Impact

Smart contract unable to operate due to lack of token funds

Users will be unable to use the Pendle version of lend() when the underlying is a fee-on-transfer token with the fee turned on (USDT currently has the fee turned off, but they can turn it on at any moment).

Code Snippet

The pulling in of the amount by IPendle will either take part of the Illuminate protocol fees, or will revert if there is not enough underlying after the fee is applied for the Sushiswap transfer (depending on which fee-on-transfer fix is applied for the other issue I filed):

// File: src/Lender.sol : Lender.lend()   #1

541                address[] memory path = new address[](2);
542                path[0] = u;
543                path[1] = principal;
544    
545                // Swap on the Pendle Router using the provided market and params
546 @>             returned = IPendle(pendleAddr).swapExactTokensForTokens(
547 @>                 a - fee,
548 @>                 r,
549 @>                 path,
550 @>                 address(this),
551 @>                 d
552 @>             )[1];
553            }
554    
555            // Mint Illuminate zero coupons
556            IERC5095(principalToken(u, m)).authMint(msg.sender, returned);
557    
558            emit Lend(p, u, m, returned, a, msg.sender);
559            return returned;
560:       }

https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L536-L560

Tool used

Manual Review

Recommendation

Use swapExactTokensForTokensSupportingFeeOnTransferTokens()

Answer 1 · 2022-11-21T19:01:21.000Z

Same as #116

Answer 2 · 2022-11-21T20:13:54.000Z

Escalate for 1 USDC

Reminder @Evert0x

Answer 3 · 2022-11-21T20:13:57.000Z

Escalate for 1 USDC

Reminder @Evert0x

You've created a valid escalation for 1 USDC!

To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

Answer 4 · 2022-12-20T15:13:23.000Z

https://github.com/Swivel-Finance/illumigrate/pull/274

The Pendle version of lend() uses the wrong function for swapping fee-on-transfer tokens