Submission Details
Severity:
Redeemed amount check
Summary
The amount redeemed is only checked if equal to infinity (max uint). This check is insufficient since any amount greater than the sender balance would revert the transaction.
Vulnerability Details
The ThunderLoan:redeem() function contains the following check:
if (amountOfAssetToken == type(uint256).max) {
amountOfAssetToken = assetToken.balanceOf(msg.sender);
}
If the amount redeemed (e.g. amountOfAssetToken) is greater than the sender balance (e.g. assetToken.balanceOf(msg.sender)) the transaction reverts on asset tokens burn.
Impact
Transaction reverts
Tools Used
foundry
function testRedeem() public setAllowedToken {
tokenA.mint(liquidityProvider, AMOUNT);
tokenA.mint(liquidityProvider2, AMOUNT);
vm.startPrank(liquidityProvider);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.stopPrank();
vm.startPrank(liquidityProvider2);
tokenA.approve(address(thunderLoan), AMOUNT);
thunderLoan.deposit(tokenA, AMOUNT);
vm.expectRevert(bytes("ERC20: burn amount exceeds balance"));
thunderLoan.redeem(tokenA, AMOUNT * 2);
vm.stopPrank();
}
Recommendations
If the amount to be redeemed is greater than the sender balance, cap it to the sender balance. Suggested change:
From:
if (amountOfAssetToken == type(uint256).max) {
amountOfAssetToken = assetToken.balanceOf(msg.sender);
}
To:
uint maxAllowedToRedeem = assetToken.balanceOf(msg.sender);
if (amountOfAssetToken > maxAllowedToRedeem) {
amountOfAssetToken = maxAllowedToRedeem;
}
Rewards breakdown
nSLOC
387This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.