Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

0xSurena - User can loss fund with mint function #151

Closed
sherlock-admin2 opened this issue Aug 29, 2023 · 0 comments
Closed

0xSurena - User can loss fund with mint function #151

sherlock-admin2 opened this issue Aug 29, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Aug 29, 2023

0xSurena

high

User can loss fund with mint function

Summary

The user can loss fund if LMPVaultRouterBase.sol.mint function get used with msg.value > 0.

Vulnerability Detail

The mint function in the LMPVaultRouterBase contract is using in order to mint exact provided share amount from the user for the user and user can pay needed amount of asset with ETH or erc20 Token. As you can see this function is payable.

    function mint(
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
        _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
        uint256 assets = vault.previewMint(shares);
        pullToken(vaultAsset, assets, address(this));
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    }

Assume that the vaultAsset is wETH and user want to call this function with msg.value = 1 ETH. anyone who has approved the contract for wETH token, if call this function with for example msg.value = 1 ETH, will pay duble cost for this process. first from native ETH that attached to the transaction and next is from pullToken function that is called from PeripheryPayments.sol.

    function pullToken(IERC20 token, uint256 amount, address recipient) public payable {
        token.safeTransferFrom(msg.sender, recipient, amount);
    }

A malicious user can steal it with sweepToken from PeripheryPayments.sol.

Impact

Anyone who has approved the LMPVaultRouter.sol for wETH token, If using mint function with msg.value < approved value, then will pay duble cost for this process.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L30
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L55
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L51C1-L54C54

Tool used

Manual Review

Recommendation

Function should not use pullToken if user sent in eth.

Duplicate of #1

@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin sherlock-admin changed the title Blunt Inky Yeti - User can loss fund with mint function 0xSurena - User can loss fund with mint function Oct 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Development

No branches or pull requests

2 participants