This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
p0wd3r - ETH deposited by the user may be stolen. #1
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Comments
github-actions
bot
added
High
A valid High severity issue
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
labels
Sep 11, 2023
This was referenced Sep 11, 2023
Closed
Closed
This was referenced Sep 11, 2023
Closed
codenutt
added
the
Sponsor Confirmed
The sponsor acknowledged this issue is valid
label
Sep 13, 2023
sherlock-admin
changed the title
Macho Shamrock Huskie - ETH deposited by the user may be stolen.
p0wd3r - ETH deposited by the user may be stolen.
Oct 3, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
p0wd3r
high
ETH deposited by the user may be stolen.
Summary
Due to the fact that the WETH obtained through
_processEthIn
belongs to the contract, andpullToken
transfers assets frommsg.sender
, it is possible for users to transfer excess WETH to the contract, allowing attackers to steal WETH from within the contract usingsweepToken
.Both
mint
anddeposit
inLMPVaultRouterBase
have this problem.Vulnerability Detail
In the
deposit
function, if the user pays with ETH, it will first call_processEthIn
to wrap it and then callpullToken
to transfer.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L43-L57
_processEthIn
will wrap ETH into WETH, and these WETH belong to the contract itself.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111-L122
However,
pullToken
transfers frommsg.sender
and does not use the WETH obtained in_processEthIn
.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L54-L56
If the user deposits 10 ETH and approves 10 WETH to the contract, when the deposit amount is 10, all of the user's 20 WETH will be transferred into the contract.
However, due to the
amount
being 10, only 10 WETH will be deposited into the vault, and the remaining 10 WETH can be stolen by the attacker usingsweepToken
.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L58-L65
Both
mint
anddeposit
inLMPVaultRouterBase
have this problem.Impact
ETH deposited by the user may be stolen.
Code Snippet
Tool used
Manual Review
Recommendation
Perform operations based on the size of
msg.value
andamount
:msg.value == amount
: transfer WETH from contract notmsg.sender
msg.value > amount
: transfer WETH from contract notmsg.sender
and refund tomsg.sender
msg.value < amount
: transfer WETH from contract and transfer remaining frommsg.sender
The text was updated successfully, but these errors were encountered: