This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
lemonmon - Too many assets may be pulled from the user when they deposit or mint into the LMPVault via LMPVaultRouterBase.mint() or LMPVaultRouterBase.deposit()
#363
Comments
github-actions
bot
added
High
sherlock-admin
changed the title
LMPVault via LMPVaultRouterBase.mint() or LMPVaultRouterBase.deposit()LMPVault via LMPVaultRouterBase.mint() or LMPVaultRouterBase.deposit()
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
lemonmon
medium
Too many assets may be pulled from the user when they deposit or mint into the
LMPVaultviaLMPVaultRouterBase.mint()orLMPVaultRouterBase.deposit()Summary
LMPVaultRouterBase.mint()andLMPVaultRouterBase.deposit()both may pull too many assets from the user, if the user sends ETH viamsg.value.Vulnerability Detail
When a user is calling
LMPVaultRouterBase.mint()orLMPVaultRouterBase.deposit()and they are sending ETH viamsg.value, the protocol may pull too many assets from the user:LMPVaultRouterBase._processEthIn()is called subsequently (line 51, line 30 LMPVaultRouterBase.sol), which deposits WETH for theLMPVaultRoutercontract (line 120 LMPVaultRouterBase.sol) based on themsg.valuewhich is the ETH the user sent to the contract.Additionally
PeripheryPayments.pullToken()gets called (line 54, line 34 LMPVaultRouterBase.sol), which transfers WETH from the user to theLMPVaultRoutercontract, despite that the user already sent the necessary assets in ETH viamsg.value.Impact
The protocol might pull too many assets from the user due to this issue. First the protocol receives ETH via
msg.valueand then additionally the protocol also pulls WETH from the user, so that the user might have paid too many assets at the end.A malicious actor may then steal these excess assets by calling
PeripheryPayments.unwrapWETH9(), which unwraps all the WETH in theLMPVaultRouterand sends it to therecipientfunction parameter, so that the malicious actor receives the excess WETH assets from the victim user who depositted or minted before into theLMPVaultviaLMPVaultRouterBase.mint()orLMPVaultRouterBase.deposit()by sending ETH to the protocol viamsg.value.Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23-L41
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111-L122
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L54-L56
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/utils/PeripheryPayments.sol#L39-L48
Tool used
Manual Review
Recommendation
Consider adjusting
LMPVaultRouterBase.mint()andLMPVaultRouterBase.deposit()to account for the ETH that the user sent viamsg.valueto the protocol, so that the protocol doesn't pull too many assets from the user.Duplicate of #1
The text was updated successfully, but these errors were encountered: