0xNirix - RedemptionVaultWIthBUIDL will potentially cause loss of funds for users redeeming mBasis due to incorrect slippage considerations #130
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
0xNirix
Medium
RedemptionVaultWIthBUIDL will potentially cause loss of funds for users redeeming mBasis due to incorrect slippage considerations
Summary
The token mismatch between MBasisRedemptionVaultWithSwapper and RedemptionVaultWIthBUIDL will cause a potential loss of funds for users redeeming mBasis instantly as the contract will allow redemptions with less value than expected or unexpectedly revert transactions due to incorrect slippage considerations.
Root Cause
The choice to override the tokenOut in RedemptionVaultWIthBUIDL at #midas-contracts/contracts/RedemptionVaultWithBUIDL.sol:100 without adjusting the minReceiveAmount is a mistake as it creates a mismatch between the expected and actual redemption tokens.
Internal pre-conditions
1.RedemptionVaultWIthBUIDL needs to be set as the mTbillRedemptionVault in MBasisRedemptionVaultWithSwapper. Note: this is possible as per doc https://docs.google.com/document/d/1z3H3cAS1qBAAHqMAyD2YGmSyGzcle9-awrPT9W2NRzY/edit
2. MBasisRedemptionVaultWithSwapper needs to have insufficient balance of the requested tokenOut to trigger the mTbillRedemptionVault.redeemInstant call.
3. buidlLiquiditySource.token() in RedemptionVaultWIthBUIDL needs to return a different token (which is USDC) than the one requested in MBasisRedemptionVaultWithSwapper.
4. The value difference between the original tokenOut and USDC will cause the minReceiveAmount check to fail or pass inappropriately.
External pre-conditions
No response
Attack Path
2, MBasisRedemptionVaultWithSwapper has insufficient balance of tokenOut.
a. If USDC > original token value:
Check likely fails (e.g., 50 USDC < 90 TokenA)
Transaction reverts, potentially locking funds temporarily
b. If USDC < original token value:
Check passes despite value loss (e.g., 200 USDC > 90 TokenB, but 200 USDC < 180 TokenB in value)
User receives less value than expected
Impact
The users redeeming mBasis either cannot complete the redemption due to unexpected reversion, potentially locking their funds temporarily, or suffer a loss by receiving less value in USDC than they were expecting in the original tokenOut. The loss could be up to the difference in value between the expected tokenOut amount and the received USDC amount.
PoC
No response
Mitigation
Implement a mechanism in MBasisRedemptionVaultWithSwapper to be aware of potential token changes in the redemption process and adjust the minReceiveAmount accordingly.
The text was updated successfully, but these errors were encountered: