sherlock-audit/2024-04-teller-finance-judging

BoRonGod - No sllippage protection in addPrincipalToCommitmentGroup and burnSharesToWithdrawEarnings

Closed this issue · 0 comments

sherlock-admin2 commented

BoRonGod

high

No sllippage protection in addPrincipalToCommitmentGroup and burnSharesToWithdrawEarnings

Summary

No sllippage protection in addPrincipalToCommitmentGroup and burnSharesToWithdrawEarnings, which create great loss to users.

Vulnerability Detail

Attackers can frontrun addPrincipalToCommitmentGroup and burnSharesToWithdrawEarnings to create bad rate for innocent users.

function addPrincipalToCommitmentGroup(
    uint256 _amount,
    address _sharesRecipient
) external returns (uint256 sharesAmount_) {
    //transfers the primary principal token from msg.sender into this contract escrow
    
    principalToken.transferFrom(msg.sender, address(this), _amount);

    sharesAmount_ = _valueOfUnderlying(_amount, sharesExchangeRate());

    totalPrincipalTokensCommitted += _amount;
    //principalTokensCommittedByLender[msg.sender] += _amount;

    //mint shares equal to _amount and give them to the shares recipient !!!
    poolSharesToken.mint(_sharesRecipient, sharesAmount_);
}



function burnSharesToWithdrawEarnings(
    uint256 _amountPoolSharesTokens,
    address _recipient
) external returns (uint256) {
   

    
    poolSharesToken.burn(msg.sender, _amountPoolSharesTokens);

    uint256 principalTokenValueToWithdraw = _valueOfUnderlying(
        _amountPoolSharesTokens,
        sharesExchangeRateInverse()
    );

    totalPrincipalTokensWithdrawn += principalTokenValueToWithdraw;

    principalToken.transfer(_recipient, principalTokenValueToWithdraw);

    return principalTokenValueToWithdraw;
}

Impact

When a user addPrincipalToCommitmentGroup, if the contract experiences a profit (through liquidation) while their transaction is pending (waiting in the mempool), they will receive fewer shares than they expected.

When a user burnSharesToWithdrawEarnings, if the contract experiences a loss (through liquidation) while their transaction is pending (waiting in the mempool), they will receive fewer shares than they expected.

Code Snippet

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L307-L322

https://github.com/sherlock-audit/2024-04-teller-finance/blob/main/teller-protocol-v2-audit-2024/packages/contracts/contracts/LenderCommitmentForwarder/extensions/LenderCommitmentGroup/LenderCommitmentGroup_Smart.sol#L396-L415

Tool used

Manual Review

Recommendation

Both addPrincipalToCommitmentGroup/burnSharesToWithdrawEarnings functions should include slippage protection parameters provided by the users.

Duplicate of #141