IllIllI - The Pendle version of `lend()` uses the wrong function for swapping fee-on-transfer tokens
Opened this issue · 4 comments
IllIllI
medium
The Pendle version of lend()
uses the wrong function for swapping fee-on-transfer tokens
Summary
The Pendle version of lend()
uses the wrong function for swapping fee-on-transfer tokens
Vulnerability Detail
The Pendle version of lend()
is not able to handle fee-on-transfer tokens properly (USDT is a fee-on-transfer token which is supported) and pulls out the contract's fee balance (I've filed this issue separately). Once that is fixed there still is the fact that the Pendle version uses the wrong Sushiswap function (the Pendle router is a Sushiswap router). The function uses swapExactTokensForTokens()
when it should use swapExactTokensForTokensSupportingFeeOnTransferTokens()
instead.
Impact
Smart contract unable to operate due to lack of token funds
Users will be unable to use the Pendle version of lend()
when the underlying is a fee-on-transfer token with the fee turned on (USDT currently has the fee turned off, but they can turn it on at any moment).
Code Snippet
The pulling in of the amount by IPendle
will either take part of the Illuminate protocol fees, or will revert if there is not enough underlying after the fee is applied for the Sushiswap transfer (depending on which fee-on-transfer fix is applied for the other issue I filed):
// File: src/Lender.sol : Lender.lend() #1
541 address[] memory path = new address[](2);
542 path[0] = u;
543 path[1] = principal;
544
545 // Swap on the Pendle Router using the provided market and params
546 @> returned = IPendle(pendleAddr).swapExactTokensForTokens(
547 @> a - fee,
548 @> r,
549 @> path,
550 @> address(this),
551 @> d
552 @> )[1];
553 }
554
555 // Mint Illuminate zero coupons
556 IERC5095(principalToken(u, m)).authMint(msg.sender, returned);
557
558 emit Lend(p, u, m, returned, a, msg.sender);
559 return returned;
560: }
https://github.com/sherlock-audit/2022-10-illuminate/blob/main/src/Lender.sol#L536-L560
Tool used
Manual Review
Recommendation
Use swapExactTokensForTokensSupportingFeeOnTransferTokens()
Escalate for 1 USDC
Reminder @Evert0x
You've created a valid escalation for 1 USDC!
To remove the escalation from consideration: Delete your comment.
To change the amount you've staked on this escalation: Edit your comment (do not create a new comment).
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.