0xDjango - Mint/Deposit with payable ETH will result in double spend

[sherlock-admin2]

0xDjango

high

Mint/Deposit with payable ETH will result in double spend

Summary

If a user calls LMPVaultRouterBase.mint() or LMPVaultRouterBase.deposit() while sending ETH, they will pay double. Upon calling either function while sending ETH, the _processEthIn(vault); function is called. This deposits msg.value into the WETH9 contract, but nothing else. Later in the deposit execution, the expected WETH amount is pulled from msg.sender. Effectively, the caller sends both ETH and WETH.

Vulnerability Detail

A user can use the LMPVaultRouter to conveniently deposit into a vault.

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57

The first line in the execution is _processEthIn(vault);.

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111-L122

As can be seen above, the msg.value is deposited into the WETH9 contract, but it is credited to the LMPVaultRouter contract, not the caller. Later in the deposit operation, the expected WETH amount is pulled from the caller.

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L54

Impact

• Double spend of ETH/WETH. Loss of funds.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57

Tool used

Manual Review

Recommendation

The WETH9 contract does not contain a deposit() function that accepts a recipient. Therefore, the best fix is either to:

• Deposit the ETH normally and transfer to the recipient.
• Deduct the deposited value from the pullTokens() amount to only pull the difference.

Duplicate of #1