You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Mint/Deposit with payable ETH will result in double spend
Summary
If a user calls LMPVaultRouterBase.mint() or LMPVaultRouterBase.deposit() while sending ETH, they will pay double. Upon calling either function while sending ETH, the _processEthIn(vault); function is called. This deposits msg.value into the WETH9 contract, but nothing else. Later in the deposit execution, the expected WETH amount is pulled from msg.sender. Effectively, the caller sends both ETH and WETH.
Vulnerability Detail
A user can use the LMPVaultRouter to conveniently deposit into a vault.
As can be seen above, the msg.value is deposited into the WETH9 contract, but it is credited to the LMPVaultRouter contract, not the caller. Later in the deposit operation, the expected WETH amount is pulled from the caller.
sherlock-admin
changed the title
Kind Banana Caterpillar - Mint/Deposit with payable ETH will result in double spend
0xDjango - Mint/Deposit with payable ETH will result in double spend
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
0xDjango
high
Mint/Deposit with payable ETH will result in double spend
Summary
If a user calls
LMPVaultRouterBase.mint()
orLMPVaultRouterBase.deposit()
while sending ETH, they will pay double. Upon calling either function while sending ETH, the_processEthIn(vault);
function is called. This depositsmsg.value
into the WETH9 contract, but nothing else. Later in the deposit execution, the expected WETH amount is pulled frommsg.sender
. Effectively, the caller sends both ETH and WETH.Vulnerability Detail
A user can use the LMPVaultRouter to conveniently deposit into a vault.
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57
The first line in the execution is
_processEthIn(vault);
.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111-L122
As can be seen above, the
msg.value
is deposited into the WETH9 contract, but it is credited to theLMPVaultRouter
contract, not the caller. Later in the deposit operation, the expected WETH amount is pulled from the caller.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L54
Impact
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57
Tool used
Manual Review
Recommendation
The WETH9 contract does not contain a
deposit()
function that accepts a recipient. Therefore, the best fix is either to:pullTokens()
amount to only pull the difference.Duplicate of #1
The text was updated successfully, but these errors were encountered: