This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
0xSurena - A malicious user may steal wETH balance in the LMPVaultRouter.sol #201
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
0xSurena
medium
A malicious user may steal wETH balance in the LMPVaultRouter.sol
Summary
If the
LMPVaultRouter
contract has balance forerc20Token
, a malicious user can steal it.Vulnerability Detail
There is
sweepToken
function in thePeripheryPayments.sol
contract. this function is using to transfer avalaible balance forerc20Token
to an address. so we can assume that there is a case thaterc20Token
orwETH
token can become available in theLMPVaultRouter
contract.LMPVaultRouter
isLMPVaultRouterBase.sol
and this isPeripheryPayments.sol
. please pay attention thatsweepToken
andrefundETH
has no access control and this is know as bug.In the
LMPVaultRouter.sol
contract andwithdrawToDeposit
function, the_deposit
function is using exact value of inputamount
from the user.In the
withdraw
process, we know thatLMPVaultRouter.sol
contract cannot receive the exact amount of requestedamount
fromDV
contracts. for example if user input foramount
is 10 wETH, thenLMPVaultRouter.sol
can receive 9.9 wETH.But in the
_deposit
function, the contract is trying to use the exact 10 wETH value. Now ifLMPVaultRouter
contract has balance for wETH, 0.1 wETH from balance of contract will get deposit for the user.Impact
A malicious user may steal wETH balance in the LMPVaultRouter.sol
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouter.sol#L31
Tool used
Manual Review
Recommendation
I Recommend to use
beforeBalance
andafterBalance
pattern in order to deposit actual amount for user.The text was updated successfully, but these errors were encountered: