Light ModeLight
Light ModeDark

One Bug Per Day

One H/M every day from top Wardens

Checkmark

Join over 1120 wardens!

Checkmark

Receive the email at any hour!

Ad

_lockOnTOB function of MagnetarMintCommonModule will not work due to the missing approved asset for YieldBox before depositing

mediumCode4rena

Lines of code

https://github.com/Tapioca-DAO/tapioca-periph/blob/032396f701be935b04a7e5cf3cb40a0136259dbc/contracts/Magnetar/modules/MagnetarMintCommonModule.sol#L115-L117

Vulnerability details

Description

In MagnetarMintCommonModule, the _lockOnTOB function is used to pull the singularity tokens from the user and lock them into the TapiocaOptionBroker contract.

solidity
function _lockOnTOB(
    IOptionsLockData memory lockData,
    IYieldBox yieldBox_,
    uint256 fraction,
    bool participate,
    address user,
    address singularityAddress
) internal returns (uint256 tOLPTokenId) {
    tOLPTokenId = 0;
    if (lockData.lock) {
        if (!cluster.isWhitelisted(0, lockData.target)) {
            revert Magnetar_TargetNotWhitelisted(lockData.target);
        }
        if (lockData.fraction > 0) fraction = lockData.fraction;

        // retrieve and deposit SGLAssetId registered in tOLP
        (uint256 tOLPSglAssetId,,) =
            ITapiocaOptionLiquidityProvision(lockData.target).activeSingularities(singularityAddress);
        if (fraction == 0) revert Magnetar_ActionParamsMismatch();

        //deposit to YieldBox
        _extractTokens(user, singularityAddress, fraction);
        yieldBox_.depositAsset(tOLPSglAssetId, address(this), address(this), fraction, 0);
        ...
    }
}

In the above code snippet, _extractTokens is used to pull singularity tokens from the user to this contract. Afterward, it will deposit these tokens into YieldBox to get YieldBox shares and then lock them in the TOB contract.

However, it misses approving Singularity tokens before depositing them into YieldBox. YieldBox will attempt to pull tokens from this contract (from == address(this)), so it will revert as YieldBox can't transfer tokens due to insufficient allowance during yieldBox_.depositAsset().

Impact

The functions of Magnetar which call _lockOnTOB will be broken, including the mintBBLendSGLLockTOLP function of MagnetarMintModule and the lockAndParticipate function of MagnetarMintXChainModule.

Tools Used

Manual review

Recommended Mitigation Steps

Should approve Singularity tokens before depositing them into YieldBox:

solidity
//deposit to YieldBox
_extractTokens(user, singularityAddress, fraction);
singularityAddress.safeApprove(address(yieldBox_), fraction);
yieldBox_.depositAsset(tOLPSglAssetId, address(this), address(this), fraction, 0);

Assessed type

Other

OneBugPerDay.com
To all the whitehats, we salute you

Legal

Advertise with usPrivacy PolicyTerms of ServiceCookie PolicyAcceptable Use

Unsubscribe

Unsubscribe from all emailsConfirm unsubscribe via code

Subscribe

Subscribe via formConfirm subscription via codeChange your Preferences
Made by Alex The EntreprenerdVulnerabilities database by TinTinWeb