Invalid Logic in Pool creation
Summary
The issue lies in using the _collateralTokenToWToken mapping, which maps collateralToken to its corresponding wToken. Instead, the collateralToken address should be directly utilized in the operation.
Vulnerability Details
The code snippet provided contains flawed logic for determining the collateralToken address. Specifically, the contract uses the address of the wToken rather than the intended collateralToken for the given pool. This discrepancy can lead to failures in collateral handling and improper functionality of the protocol.
Impact
Failure in collateral calculations: The wrong token being used in calculations or contract logic.
Loss of funds or mismanagement: If the protocol processes funds with the incorrect token address, it could cause improper liquidity handling or user losses.
Tools Used
Recommendations
Replace the problematic mapping logic with the appropriate collateralToken address usage. Specifically, update the code to ensure it refers to the correct collateral token address as follows:
// Use the correct collateralToken address
collateralToken: _poolParams.collateralToken,
// Optional Improvement: Maintain a direct mapping for collateralToken-to-wToken only where needed _wTokenToCollateralToken[_wToken] = _poolParams.collateralToken;
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.