You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
The user can loss fund if LMPVaultRouterBase.sol.mint function get used with msg.value > 0.
Vulnerability Detail
The mint function in the LMPVaultRouterBase contract is using in order to mint exact provided share amount from the user for the user and user can pay needed amount of asset with ETH or erc20 Token. As you can see this function is payable.
Assume that the vaultAsset is wETH and user want to call this function with msg.value = 1 ETH. anyone who has approved the contract for wETH token, if call this function with for example msg.value = 1 ETH, will pay duble cost for this process. first from native ETH that attached to the transaction and next is from pullToken function that is called from PeripheryPayments.sol.
function pullToken(IERC20token, uint256amount, addressrecipient) publicpayable {
token.safeTransferFrom(msg.sender, recipient, amount);
}
A malicious user can steal it with sweepToken from PeripheryPayments.sol.
Anyone who has approved the LMPVaultRouter.sol for wETH token, If using mint function with msg.value < approved value, then will pay duble cost for this process.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
0xSurena
high
User can loss fund with mint function
Summary
The user can loss fund if
LMPVaultRouterBase.sol.mint
function get used withmsg.value > 0
.Vulnerability Detail
The
mint
function in theLMPVaultRouterBase
contract is using in order to mint exact providedshare
amount from the user for the user and user can pay needed amount of asset withETH
orerc20 Token
. As you can see this function ispayable
.Assume that the
vaultAsset
iswETH
and user want to call this function withmsg.value = 1 ETH
. anyone who has approved the contract forwETH
token, if call this function with for examplemsg.value = 1 ETH
, will pay duble cost for this process. first from native ETH that attached to the transaction and next is frompullToken
function that is called fromPeripheryPayments.sol
.A malicious user can steal it with
sweepToken
fromPeripheryPayments.sol
.Impact
Anyone who has approved the
LMPVaultRouter.sol
forwETH
token, If usingmint
function withmsg.value
<approved value
, then will pay duble cost for this process.Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L30
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L55
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L51C1-L54C54
Tool used
Manual Review
Recommendation
Function should not use
pullToken
if user sent in eth.Duplicate of #1
The text was updated successfully, but these errors were encountered: