You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 29, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Router is requiring twice the tokens when paying with native eth
Summary
LMPRouterBase is allowing to pay in native ETH instead of WETH inside the mint/deposit functions. However the implementation is flawed.
Vulnerability Detail
The mint and deposit implementation of the LMPRouterBase contract allow a user to pay in native eth for vaults that are using WETH as an asset.
For this the _processEthIn is called at the beginning of these functions. Inside this function there is a check if the msg.value is bigger than 0 and if yes if the vaults asset is WETH. In case the second check fails, the function will revert.
However if it is an WETH vault, the msg.value is deposited to weth (wrapping it).
However after the call to _processEthIn the function continues as usual and eventually calls pullToken, which is straight up calling safeTransferFrom and transferring the specified amount of WETH into the contract. This makes the user actually pay twice, as a part was payed in native eth and again paid in WETH.
Impact
User pays twice or transaction reverts (if missing approval)
sherlock-admin2
changed the title
Fluffy Sand Lobster - Router is requiring twice the tokens when paying with native eth
shogoki - Router is requiring twice the tokens when paying with native eth
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
shogoki
medium
Router is requiring twice the tokens when paying with native eth
Summary
LMPRouterBase is allowing to pay in native ETH instead of WETH inside the mint/deposit functions. However the implementation is flawed.
Vulnerability Detail
The
mint
anddeposit
implementation of theLMPRouterBase
contract allow a user to pay in native eth for vaults that are usingWETH
as an asset.For this the
_processEthIn
is called at the beginning of these functions. Inside this function there is a check if themsg.value
is bigger than0
and if yes if the vaults asset isWETH
. In case the second check fails, the function will revert.However if it is an WETH vault, the msg.value is deposited to weth (wrapping it).
However after the call to
_processEthIn
the function continues as usual and eventually callspullToken
, which is straight up callingsafeTransferFrom
and transferring the specified amount of WETH into the contract. This makes the user actually pay twice, as a part was payed in native eth and again paid in WETH.Impact
User pays twice or transaction reverts (if missing approval)
Code Snippet
https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L23-L57
https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L111-L122
https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/utils/PeripheryPayments.sol#L54-L56
Tool used
Manual Review
Recommendation
Adjust the amount to pull from the user in case there was native eth sent.
Duplicate of #1
The text was updated successfully, but these errors were encountered: