You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
in LMPVaultRouter.mint()/ LMPVaultRouter.deposit()
Will execute _processEthIn(), then execute pullToken(vaultAsset, assets, address(this)).
Executing pullToken() does not deduct the ETH from msg.value, resulting in a duplicate transfer to WETH
Resulting in the loss of the user's ETH
Vulnerability Detail
in LMPVaultRouter.mint()
abstractcontractLMPVaultRouterBaseisILMPVaultRouterBase, SelfPermit, Multicall, PeripheryPayments {
...
function mint(
ILMPVault vault,
addressto,
uint256shares,
uint256maxAmountIn
) publicpayablevirtualoverridereturns (uint256amountIn) {
// handle possible eth
@>_processEthIn(vault);
IERC20 vaultAsset =IERC20(vault.asset());
@>uint256 assets = vault.previewMint(shares);
@>pullToken(vaultAsset, assets, address(this));
vaultAsset.safeApprove(address(vault), assets);
amountIn = vault.mint(shares, to);
if (amountIn > maxAmountIn) {
revertMaxAmountError();
}
}
function _processEthIn(ILMPVault vault) internal {
// if any eth sent, wrap it firstif (msg.value>0) {
// if asset is not weth, revertif (address(vault.asset()) !=address(weth9)) {
revertInvalidAsset();
}
// wrap eth
weth9.deposit{ value: msg.value }();
}
}
From the above code, we know that there are two ways to pass in ETH msg.value and pullToken()
But executing pullToken(assets), assets does not deduct msg.value
If the user has WETH.approve(router) before, then the user will be transferred eth repeatedly, and a copy will be left in the contract.
sherlock-admin2
changed the title
Fluffy Shamrock Turkey - LMPVaultRouter duplicate transfer ETH
bin2chen - LMPVaultRouter duplicate transfer ETH
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
bin2chen
high
LMPVaultRouter duplicate transfer ETH
Summary
in
LMPVaultRouter.mint()
/LMPVaultRouter.deposit()
Will execute
_processEthIn()
, then executepullToken(vaultAsset, assets, address(this))
.Executing
pullToken()
does not deduct the ETH frommsg.value
, resulting in a duplicate transfer to WETHResulting in the loss of the user's ETH
Vulnerability Detail
in
LMPVaultRouter.mint()
From the above code, we know that there are two ways to pass in ETH
msg.value
andpullToken()
But executing
pullToken(assets)
,assets
does not deductmsg.value
If the user has
WETH.approve(router)
before, then the user will be transferred eth repeatedly, and a copy will be left in the contract.Example:
suppose vault.asset == weth , 1 shares = 1 assets
if alice call
mint{ value = 100} (shares=100)
so alice Pay 200 eth, get 100 shares, 100 eth stays in the contract.
Impact
Repeatedly transferring ETH, causing the user to lose a copy of ETH.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L30-L34
Tool used
Manual Review
Recommendation
Duplicate of #1
The text was updated successfully, but these errors were encountered: