You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 29, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
function handles the eth with solidity _processEthIn(vault) :
function _processEthIn(ILMPVault vault) internal {
// if any eth sent, wrap it firstif (msg.value>0) {
// if asset is not weth, revertif (address(vault.asset()) !=address(weth9)) {
revertInvalidAsset();
}
// wrap eth
weth9.deposit{ value: msg.value }();
}
}
here weth9.deposit is called with the user's msg.value. When weth9 deposit funtion is triggered the msg.sender becomes the contract and not the user so the weth9 will be sent directly to the contract address and not the user's address.
At this point user still doesn't have any weth9.
back to the mint function solidity pullToken(vaultAsset, assets, address(this)); is called :
function pullToken(IERC20token, uint256amount, addressrecipient) publicpayable {
token.safeTransferFrom(msg.sender, recipient, amount);
this pullToken calls solidity token.safeTransferFrom(msg.sender, recipient, amount); trying to transfer token from msg.sender(user) to the recipient ( i.e. the contract address). But in point 2 we see that the user still doesn't have any weth9(base asset) despite sending eth therefore this solidity token.safeTransferFrom(msg.sender, recipient, amount); will always fail and the mint function will always revert when user doesn't have base asset and tries to mint shares with his eth.
Impact
users who doesn't have the asset token who wants to call the mint function using eth will always revert. If they want to mint shares they must first get the asset token from somewhere else.
do not call the solidity pullToken(vaultAsset, assets, address(this)); when user tries to mint shares using his eth.
And remember to send back the extra ether to the user by unwrapping the weth9 or without unwrapping it.
sherlock-admin2
changed the title
Glorious Oily Alpaca - asui - dos in the mint function: LMPVaultRouterBase.sol
asui - asui - dos in the mint function: LMPVaultRouterBase.sol
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
asui
medium
asui - dos in the mint function: LMPVaultRouterBase.sol
asui
medium
Summary
solidity LMPVaultRouterBase.sol
: DOS in the mint function when user tries to mint shares using his eth.Vulnerability Detail
if a user doesn't have weth9(base asset) and calls the mint function with eth
the mint function does this:
solidity _processEthIn(vault)
:here weth9.deposit is called with the user's msg.value. When weth9 deposit funtion is triggered the msg.sender becomes the contract and not the user so the weth9 will be sent directly to the contract address and not the user's address.
At this point user still doesn't have any weth9.
solidity pullToken(vaultAsset, assets, address(this));
is called :this pullToken calls
solidity token.safeTransferFrom(msg.sender, recipient, amount);
trying to transfer token from msg.sender(user) to the recipient ( i.e. the contract address). But in point 2 we see that the user still doesn't have any weth9(base asset) despite sending eth therefore thissolidity token.safeTransferFrom(msg.sender, recipient, amount);
will always fail and the mint function will always revert when user doesn't have base asset and tries to mint shares with his eth.Impact
users who doesn't have the asset token who wants to call the mint function using eth will always revert. If they want to mint shares they must first get the asset token from somewhere else.
Code Snippet
https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L23C5-L41C6
Tool used
Manual Review
Recommendation
do not call the
solidity pullToken(vaultAsset, assets, address(this));
when user tries to mint shares using his eth.And remember to send back the extra ether to the user by unwrapping the weth9 or without unwrapping it.
Duplicate of #1
The text was updated successfully, but these errors were encountered: