asui - asui - dos in deposit function: LMPVaultRouterBase

[sherlock-admin2]

asui

medium

asui - dos in deposit function: LMPVaultRouterBase

asui

medium

Summary

users cannot call deposit if they dont have asster tokens

Vulnerability Detail

suppose a user doesn't have any asset token but decides to deposit using his eth this will always revert because solidity _processEthIn(vault); inside the deposit function mints weth9 (asset token) to the contract and not the user and on the next line when deposit function callls solidity pullToken(vaultAsset, amount, address(this)); this will always fail because the user doesn't have any weth9(asset token) but this pullToken tries to pull weth9 from the user to the contract address and the function will revert.
Here is the code for the deposit function:

function deposit( 
        ILMPVault vault, 
        address to,
        uint256 amount,
        uint256 minSharesOut
    ) public payable virtual override returns (uint256 sharesOut) {
        // handle possible eth
        _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
        pullToken(vaultAsset, amount, address(this)); 

        return _deposit(vault, to, amount, minSharesOut);
    }

Impact

users without base tokens cannot deposit even if they want to deposit using their eth. They can only do so by getting the base asset from somewhere else and calling the deposit function.

Code Snippet

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L44C5-L57C6

Tool used

Manual Review

Recommendation

only pull tokens when the user calls without eth since when the _processEthIn is called the contract already has the base asset .
And if the user sends more eth than needed return the excess amount either by unwrapping it back to eth or without unwrapping it .

Duplicate of #1