You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH
Summary
The LMPVaultRouterBase contract unintentionally takes WETH from users who send ether to mint/deposit.
Due to this, the excess WETH remains stuck in the router. Anyone can take these stucked WETH.
The issue arises as the LMPVault accepts WETH only from the amount pulled from the user, neglecting the ether the user sent to the payable function. Consequently, any unutilized ether remains stranded in the router contract.
Given the router contract's PeripheryPaymentssweep function, this stranded WETH can be taken by anyone.
Impact
Router mint and deposit payable function does not process ETH transfered in to vault so _processEthIn() does nothing.
Any user use ETH to deposit/mint will be stucked in router contract and can be stolen by anyone.
sherlock-admin2
changed the title
Refined Porcelain Shetland - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH
VAD37 - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
VAD37
high
LMPVaultRouterBase
mint and deposit function unintended pulling WETH from user when using only ETHSummary
The
LMPVaultRouterBase
contract unintentionally takes WETH from users who send ether to mint/deposit.Due to this, the excess WETH remains stuck in the router. Anyone can take these stucked WETH.
Vulnerability Detail
When a user calls the
deposit()
function, which is a payable method, any ether (msg.value
) is converted to WETH.Simultaneously, the function
pullToken()
fetches thevaultAsset
(WETH) from the user, which is WETH determined byLMPVault.asset()
.The issue arises as the
LMPVault
accepts WETH only from the amount pulled from the user, neglecting the ether the user sent to the payable function. Consequently, any unutilized ether remains stranded in the router contract.Given the router contract's
PeripheryPayments
sweep function, this stranded WETH can be taken by anyone.Impact
Router mint and deposit payable function does not process ETH transfered in to vault so
_processEthIn()
does nothing.Any user use ETH to deposit/mint will be stucked in router contract and can be stolen by anyone.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L29-L33
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L51
Tool used
Manual Review
Recommendation
_processEthIn()
to an individual function and employ multicall for executing both functions in a single transaction.Duplicate of #1
The text was updated successfully, but these errors were encountered: