rvierdiiev
medium
TxBuilderExtension.repayStEth can revert because wstEthAmount can be bigger than borrowBalance
TxBuilderExtension.repayStEth
function uses borrowBalance
as amount to repay in case when stEthAmount == type(uint256).max
.
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L356-L368
function repayStEth(address user, uint256 stEthAmount) internal nonReentrant {
if (stEthAmount == type(uint256).max) {
ironBank.accrueInterest(wsteth);
uint256 borrowBalance = ironBank.getBorrowBalance(user, wsteth);
stEthAmount = WstEthInterface(wsteth).getStETHByWstETH(borrowBalance) + 1; // add 1 to avoid rounding issue
}
IERC20(steth).safeTransferFrom(user, address(this), stEthAmount);
IERC20(steth).safeIncreaseAllowance(wsteth, stEthAmount);
uint256 wstEthAmount = WstEthInterface(wsteth).wrap(stEthAmount);
IERC20(wsteth).safeIncreaseAllowance(address(ironBank), wstEthAmount);
ironBank.repay(address(this), user, wsteth, wstEthAmount);
}
This borrowBalance
is then converted to stEth amount. Also value of 1
is added to stEthAmount
in order to avoid rounding issue
.
After that this stEthAmount
amount will be wrapped to wstEthAmount
and it will be repaid using ironBank.repay(address(this), user, wsteth, wstEthAmount)
.
repay
function doesn't allow to repay more than user's debt. That means that in case if wstEthAmount != borrowBalance
, then function will revert.
And this is possible actually, because of that +1
to stEthAmount
amount.
Repay will fail.
Provided above
Manual Review
You need to check if you need round up or no.