Skip to content
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.

bin2chen - LMPVaultRouter duplicate transfer ETH #610

Closed
sherlock-admin opened this issue Aug 30, 2023 · 0 comments
Closed

bin2chen - LMPVaultRouter duplicate transfer ETH #610

sherlock-admin opened this issue Aug 30, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Aug 30, 2023

bin2chen

high

LMPVaultRouter duplicate transfer ETH

Summary

in LMPVaultRouter.mint()/ LMPVaultRouter.deposit()
Will execute _processEthIn(), then execute pullToken(vaultAsset, assets, address(this)).
Executing pullToken() does not deduct the ETH from msg.value, resulting in a duplicate transfer to WETH
Resulting in the loss of the user's ETH

Vulnerability Detail

in LMPVaultRouter.mint()

abstract contract LMPVaultRouterBase is ILMPVaultRouterBase, SelfPermit, Multicall, PeripheryPayments {
...
    function mint(
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
@>      _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
@>      uint256 assets = vault.previewMint(shares);
@>      pullToken(vaultAsset, assets, address(this));
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    }


    function _processEthIn(ILMPVault vault) internal {
        // if any eth sent, wrap it first
        if (msg.value > 0) {
            // if asset is not weth, revert
            if (address(vault.asset()) != address(weth9)) {
                revert InvalidAsset();
            }

            // wrap eth
            weth9.deposit{ value: msg.value }();
        }
    }

From the above code, we know that there are two ways to pass in ETH msg.value and pullToken()

But executing pullToken(assets), assets does not deduct msg.value

If the user has WETH.approve(router) before, then the user will be transferred eth repeatedly, and a copy will be left in the contract.

Example:
suppose vault.asset == weth , 1 shares = 1 assets

if alice call mint{ value = 100} (shares=100)

  1. msg.value = 100
  2. pullToken(assets = 100) -> WETH.transerFrom(alice,addfress(this),100)

so alice Pay 200 eth, get 100 shares, 100 eth stays in the contract.

Impact

Repeatedly transferring ETH, causing the user to lose a copy of ETH.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L30-L34

Tool used

Manual Review

Recommendation

    function mint(
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
        _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
        uint256 assets = vault.previewMint(shares);
-       pullToken(vaultAsset, assets, address(this));
+      if(vaultAsset == weth9 && msg.value > 0 ) {
+           pullToken(vaultAsset, assets - msg.value, address(this));
+      }else{
+         pullToken(vaultAsset, assets, address(this));
+      }
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    }

Duplicate of #1

@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Sep 11, 2023
@sherlock-admin2 sherlock-admin2 changed the title Fluffy Shamrock Turkey - LMPVaultRouter duplicate transfer ETH bin2chen - LMPVaultRouter duplicate transfer ETH Oct 3, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Oct 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Development

No branches or pull requests

2 participants