0xSurena - A malicious user may steal wETH balance in the LMPVaultRouter.sol

[sherlock-admin2]

0xSurena

medium

A malicious user may steal wETH balance in the LMPVaultRouter.sol

Summary

If the LMPVaultRouter contract has balance for erc20Token, a malicious user can steal it.

Vulnerability Detail

There is sweepToken function in the PeripheryPayments.sol contract. this function is using to transfer avalaible balance for erc20Token to an address. so we can assume that there is a case that erc20Token or wETH token can become available in the LMPVaultRouter contract. LMPVaultRouter is LMPVaultRouterBase.sol and this is PeripheryPayments.sol. please pay attention that sweepToken and refundETH has no access control and this is know as bug.

• https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L58

In the LMPVaultRouter.sol contract and withdrawToDeposit function, the _deposit function is using exact value of input amount from the user.

• https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouter.sol#L31
• https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouter.sol#L36

In the withdraw process, we know that LMPVaultRouter.sol contract cannot receive the exact amount of requested amount from DV contracts. for example if user input for amount is 10 wETH, then LMPVaultRouter.sol can receive 9.9 wETH.

• https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouter.sol#L35

But in the _deposit function, the contract is trying to use the exact 10 wETH value. Now if LMPVaultRouter contract has balance for wETH, 0.1 wETH from balance of contract will get deposit for the user.

• https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L67

Impact

A malicious user may steal wETH balance in the LMPVaultRouter.sol

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouter.sol#L31

Tool used

Manual Review

Recommendation

I Recommend to use beforeBalance and afterBalance pattern in order to deposit actual amount for user.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

Trumpero commented:

invalid, LMPVaultRouter is intended to hold funds

[0xSurena]

Escalate

Based on the this accepted Issue, LMPVaultRouter contract can hold funds.

If the user deposits 10 ETH and approves 10 WETH to the contract, when the deposit amount is 10, all of the user's 20 WETH will be transferred into the contract. However, due to the amount being 10, only 10 WETH will be deposited into the vault, and the remaining in contract is 10 WETH.

Thanks

[sherlock-admin2]

Escalate

Based on the this accepted Issue, LMPVaultRouter contract can hold funds.

If the user deposits 10 ETH and approves 10 WETH to the contract, when the deposit amount is 10, all of the user's 20 WETH will be transferred into the contract. However, due to the amount being 10, only 10 WETH will be deposited into the vault, and the remaining in contract is 10 WETH.

Thanks

The escalation could not be created because you are not exceeding the escalation threshold.

You can view the required number of additional valid issues/judging contest payouts in your Profile page,
in the Sherlock webapp.