Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

VAD37 - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH #546

Closed
sherlock-admin opened this issue Aug 30, 2023 · 0 comments
Closed

VAD37 - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH #546

sherlock-admin opened this issue Aug 30, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 30, 2023
edited by sherlock-admin2
Loading

VAD37

high

LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH

Summary

The LMPVaultRouterBase contract unintentionally takes WETH from users who send ether to mint/deposit.
Due to this, the excess WETH remains stuck in the router. Anyone can take these stucked WETH.

Vulnerability Detail

  1. When a user calls the deposit() function, which is a payable method, any ether (msg.value) is converted to WETH.

  2. Simultaneously, the function pullToken() fetches the vaultAsset (WETH) from the user, which is WETH determined by LMPVault.asset().

  3. The issue arises as the LMPVault accepts WETH only from the amount pulled from the user, neglecting the ether the user sent to the payable function. Consequently, any unutilized ether remains stranded in the router contract.

  4. Given the router contract's PeripheryPayments sweep function, this stranded WETH can be taken by anyone.

Impact

Router mint and deposit payable function does not process ETH transfered in to vault so _processEthIn() does nothing.
Any user use ETH to deposit/mint will be stucked in router contract and can be stolen by anyone.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L29-L33
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L51

Tool used

Manual Review

Recommendation

  • Eliminate the payable attribute from the mint/deposit functions.
  • Relocate _processEthIn() to an individual function and employ multicall for executing both functions in a single transaction.

Duplicate of #1
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin2 sherlock-admin2 changed the title Refined Porcelain Shetland - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH VAD37 - LMPVaultRouterBase mint and deposit function unintended pulling WETH from user when using only ETH Oct 3, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Oct 3, 2023
@Milad-Sha Milad-Sha mentioned this issue Oct 3, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2