0xNirix - RedemptionVaultWIthBUIDL will potentially cause loss of funds for users redeeming mBasis due to incorrect slippage considerations

[sherlock-admin3]

0xNirix

Medium

RedemptionVaultWIthBUIDL will potentially cause loss of funds for users redeeming mBasis due to incorrect slippage considerations

Summary

The token mismatch between MBasisRedemptionVaultWithSwapper and RedemptionVaultWIthBUIDL will cause a potential loss of funds for users redeeming mBasis instantly as the contract will allow redemptions with less value than expected or unexpectedly revert transactions due to incorrect slippage considerations.

Root Cause

The choice to override the tokenOut in RedemptionVaultWIthBUIDL at #midas-contracts/contracts/RedemptionVaultWithBUIDL.sol:100 without adjusting the minReceiveAmount is a mistake as it creates a mismatch between the expected and actual redemption tokens.

Internal pre-conditions

1.RedemptionVaultWIthBUIDL needs to be set as the mTbillRedemptionVault in MBasisRedemptionVaultWithSwapper. Note: this is possible as per doc https://docs.google.com/document/d/1z3H3cAS1qBAAHqMAyD2YGmSyGzcle9-awrPT9W2NRzY/edit
2. MBasisRedemptionVaultWithSwapper needs to have insufficient balance of the requested tokenOut to trigger the mTbillRedemptionVault.redeemInstant call.
3. buidlLiquiditySource.token() in RedemptionVaultWIthBUIDL needs to return a different token (which is USDC) than the one requested in MBasisRedemptionVaultWithSwapper.
4. The value difference between the original tokenOut and USDC will cause the minReceiveAmount check to fail or pass inappropriately.

External pre-conditions

No response

Attack Path

1. User calls redeemInstant on MBasisRedemptionVaultWithSwapper with a specific tokenOut and minReceiveAmount.
   2, MBasisRedemptionVaultWithSwapper has insufficient balance of tokenOut.
2. MBasisRedemptionVaultWithSwapper swaps mBasis to mTBILL and calls redeemInstant on mTbillRedemptionVault (RedemptionVaultWIthBUIDL).
3. RedemptionVaultWIthBUIDL changes tokenOut to USDC but uses the original minReceiveAmount for its check.5.
4. The minReceiveAmount check either fails unexpectedly or passes when it shouldn't, depending on the relative value of the tokens.
   a. If USDC > original token value:

Check likely fails (e.g., 50 USDC < 90 TokenA)
Transaction reverts, potentially locking funds temporarily

b. If USDC < original token value:

Check passes despite value loss (e.g., 200 USDC > 90 TokenB, but 200 USDC < 180 TokenB in value)
User receives less value than expected

Impact

The users redeeming mBasis either cannot complete the redemption due to unexpected reversion, potentially locking their funds temporarily, or suffer a loss by receiving less value in USDC than they were expecting in the original tokenOut. The loss could be up to the difference in value between the expected tokenOut amount and the received USDC amount.

PoC

No response

Mitigation

Implement a mechanism in MBasisRedemptionVaultWithSwapper to be aware of potential token changes in the redemption process and adjust the minReceiveAmount accordingly.

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

merlinboii commented:

Duplicate of 041