rvierdiiev
medium
TxBuilderExtension.repayStEth can revert because wstEthAmount can be bigger than borrowBalance
TxBuilderExtension.repayStEth function uses borrowBalance as amount to repay in case when stEthAmount == type(uint256).max.
https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/extensions/TxBuilderExtension.sol#L356-L368
function repayStEth(address user, uint256 stEthAmount) internal nonReentrant {
if (stEthAmount == type(uint256).max) {
ironBank.accrueInterest(wsteth);
uint256 borrowBalance = ironBank.getBorrowBalance(user, wsteth);
stEthAmount = WstEthInterface(wsteth).getStETHByWstETH(borrowBalance) + 1; // add 1 to avoid rounding issue
}
IERC20(steth).safeTransferFrom(user, address(this), stEthAmount);
IERC20(steth).safeIncreaseAllowance(wsteth, stEthAmount);
uint256 wstEthAmount = WstEthInterface(wsteth).wrap(stEthAmount);
IERC20(wsteth).safeIncreaseAllowance(address(ironBank), wstEthAmount);
ironBank.repay(address(this), user, wsteth, wstEthAmount);
}This borrowBalance is then converted to stEth amount. Also value of 1 is added to stEthAmount in order to avoid rounding issue.
After that this stEthAmount amount will be wrapped to wstEthAmount and it will be repaid using ironBank.repay(address(this), user, wsteth, wstEthAmount).
repay function doesn't allow to repay more than user's debt. That means that in case if wstEthAmount != borrowBalance, then function will revert.
And this is possible actually, because of that +1 to stEthAmount amount.
Repay will fail.
Provided above
Manual Review
You need to check if you need round up or no.