asui - asui - dos in the mint function: LMPVaultRouterBase.sol

[sherlock-admin]

asui

medium

asui - dos in the mint function: LMPVaultRouterBase.sol

asui

medium

Summary

solidity LMPVaultRouterBase.sol: DOS in the mint function when user tries to mint shares using his eth.

Vulnerability Detail

if a user doesn't have weth9(base asset) and calls the mint function with eth
the mint function does this:

 function mint( 
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
        _processEthIn(vault); 

        IERC20 vaultAsset = IERC20(vault.asset());
        uint256 assets = vault.previewMint(shares);
        pullToken(vaultAsset, assets, address(this));
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    } 

1. user calls the mint with eth
2. function handles the eth with solidity _processEthIn(vault) :

 function _processEthIn(ILMPVault vault) internal {
        // if any eth sent, wrap it first
        if (msg.value > 0) {
            // if asset is not weth, revert
            if (address(vault.asset()) != address(weth9)) {
                revert InvalidAsset();
            }

            // wrap eth
            weth9.deposit{ value: msg.value }();
        }
    }

here weth9.deposit is called with the user's msg.value. When weth9 deposit funtion is triggered the msg.sender becomes the contract and not the user so the weth9 will be sent directly to the contract address and not the user's address.
At this point user still doesn't have any weth9.

3. back to the mint function solidity pullToken(vaultAsset, assets, address(this)); is called :

function pullToken(IERC20 token, uint256 amount, address recipient) public payable {
        token.safeTransferFrom(msg.sender, recipient, amount);  

this pullToken calls solidity token.safeTransferFrom(msg.sender, recipient, amount); trying to transfer token from msg.sender(user) to the recipient ( i.e. the contract address). But in point 2 we see that the user still doesn't have any weth9(base asset) despite sending eth therefore this solidity token.safeTransferFrom(msg.sender, recipient, amount); will always fail and the mint function will always revert when user doesn't have base asset and tries to mint shares with his eth.

Impact

users who doesn't have the asset token who wants to call the mint function using eth will always revert. If they want to mint shares they must first get the asset token from somewhere else.

Code Snippet

https://github.com/Tokemak/v2-core-audit-2023-07-14/blob/62445b8ee3365611534c96aef189642b721693bf/src/vault/LMPVaultRouterBase.sol#L23C5-L41C6

Tool used

Manual Review

Recommendation

do not call the solidity pullToken(vaultAsset, assets, address(this)); when user tries to mint shares using his eth.
And remember to send back the extra ether to the user by unwrapping the weth9 or without unwrapping it.

Duplicate of #1