shogoki - Router is requiring twice the tokens when paying with native eth

[sherlock-admin]

shogoki

medium

Router is requiring twice the tokens when paying with native eth

Summary

LMPRouterBase is allowing to pay in native ETH instead of WETH inside the mint/deposit functions. However the implementation is flawed.

Vulnerability Detail

The mint and deposit implementation of the LMPRouterBase contract allow a user to pay in native eth for vaults that are using WETH as an asset.

For this the _processEthIn is called at the beginning of these functions. Inside this function there is a check if the msg.value is bigger than 0 and if yes if the vaults asset is WETH. In case the second check fails, the function will revert.
However if it is an WETH vault, the msg.value is deposited to weth (wrapping it).
However after the call to _processEthIn the function continues as usual and eventually calls pullToken, which is straight up calling safeTransferFrom and transferring the specified amount of WETH into the contract. This makes the user actually pay twice, as a part was payed in native eth and again paid in WETH.

Impact

User pays twice or transaction reverts (if missing approval)

Code Snippet

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L23-L57

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L111-L122

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/utils/PeripheryPayments.sol#L54-L56

Tool used

Manual Review

Recommendation

Adjust the amount to pull from the user in case there was native eth sent.

Duplicate of #1