bin2chen - LMPVaultRouter duplicate transfer ETH

[sherlock-admin]

bin2chen

high

LMPVaultRouter duplicate transfer ETH

Summary

in LMPVaultRouter.mint()/ LMPVaultRouter.deposit()
Will execute _processEthIn(), then execute pullToken(vaultAsset, assets, address(this)).
Executing pullToken() does not deduct the ETH from msg.value, resulting in a duplicate transfer to WETH
Resulting in the loss of the user's ETH

Vulnerability Detail

in LMPVaultRouter.mint()

abstract contract LMPVaultRouterBase is ILMPVaultRouterBase, SelfPermit, Multicall, PeripheryPayments {
...
    function mint(
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
@>      _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
@>      uint256 assets = vault.previewMint(shares);
@>      pullToken(vaultAsset, assets, address(this));
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    }


    function _processEthIn(ILMPVault vault) internal {
        // if any eth sent, wrap it first
        if (msg.value > 0) {
            // if asset is not weth, revert
            if (address(vault.asset()) != address(weth9)) {
                revert InvalidAsset();
            }

            // wrap eth
            weth9.deposit{ value: msg.value }();
        }
    }

From the above code, we know that there are two ways to pass in ETH msg.value and pullToken()

But executing pullToken(assets), assets does not deduct msg.value

If the user has WETH.approve(router) before, then the user will be transferred eth repeatedly, and a copy will be left in the contract.

Example:
suppose vault.asset == weth , 1 shares = 1 assets

if alice call mint{ value = 100} (shares=100)

1. msg.value = 100
2. pullToken(assets = 100) -> WETH.transerFrom(alice,addfress(this),100)

so alice Pay 200 eth, get 100 shares, 100 eth stays in the contract.

Impact

Repeatedly transferring ETH, causing the user to lose a copy of ETH.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/5d8e902ce33981a6506b1b5fb979a084602c6c9a/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L30-L34

Tool used

Manual Review

Recommendation

    function mint(
        ILMPVault vault,
        address to,
        uint256 shares,
        uint256 maxAmountIn
    ) public payable virtual override returns (uint256 amountIn) {
        // handle possible eth
        _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
        uint256 assets = vault.previewMint(shares);
-       pullToken(vaultAsset, assets, address(this));
+      if(vaultAsset == weth9 && msg.value > 0 ) {
+           pullToken(vaultAsset, assets - msg.value, address(this));
+      }else{
+         pullToken(vaultAsset, assets, address(this));
+      }
        vaultAsset.safeApprove(address(vault), assets);

        amountIn = vault.mint(shares, to);
        if (amountIn > maxAmountIn) {
            revert MaxAmountError();
        }
    }

Duplicate of #1