You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Incorrect handling of ETH when interacting with the LMPVaultRouterBase.deposit()
Summary
Read the Detailed Description section
Vulnerability Detail
The purpose of the LMPVaultRouterBase.deposit() function is to facilitate the depositing of a specified amount into an ERC4626 vault, allowing the user to receive an expected minimum of minSharesOut shares in return.
function deposit(
ILMPVault vault,
address to,
uint256 amount,
uint256 minSharesOut
) public payable virtual override returns (uint256 sharesOut) {
// Handling possible ETH
_processEthIn(vault);
IERC20 vaultAsset = IERC20(vault.asset());
pullToken(vaultAsset, amount, address(this));
return _deposit(vault, to, amount, minSharesOut);
}
At the beginning of the function, the internal function _processEthIn() is invoked to manage any ETH sent along with the function call. This internal function wraps the msg.value ETH into WETH if the designated LMPVault utilizes WETH as its baseAsset. However, a flaw arises where, even after wrapping the msg.value into WETH, the function still requires the sender to transfer the amount of WETH using the pullToken() function, rather than amount - msg.value. Consequently, this leads to a loss for the sender as the attached ETH remains unused.
A similar issue is also present in the LMPVaultBase.mint() function.
sherlock-admin
changed the title
Modern Iris Lemur - Incorrect handling of ETH when interacting with the LMPVaultRouterBase.deposit()
duc - Incorrect handling of ETH when interacting with the LMPVaultRouterBase.deposit()Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
duc
medium
Incorrect handling of ETH when interacting with the
LMPVaultRouterBase.deposit()
Summary
Read the Detailed Description section
Vulnerability Detail
The purpose of the
LMPVaultRouterBase.deposit()
function is to facilitate the depositing of a specifiedamount
into an ERC4626 vault, allowing the user to receive an expected minimum ofminSharesOut
shares in return.At the beginning of the function, the internal function
_processEthIn()
is invoked to manage any ETH sent along with the function call. This internal function wraps themsg.value
ETH into WETH if the designated LMPVault utilizesWETH
as itsbaseAsset
. However, a flaw arises where, even after wrapping themsg.value
into WETH, the function still requires the sender to transfer theamount
of WETH using thepullToken()
function, rather thanamount - msg.value
. Consequently, this leads to a loss for the sender as the attached ETH remains unused.A similar issue is also present in the
LMPVaultBase.mint()
function.Impacts
Senders could experience financial losses.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23-L41
Tool used
Manual Review
Recommendation
It is recommended to modify the logic to ensure that users transfer
amount - msg.value
when the LMPVault utilizes WETH as its base asset.Duplicate of #1
The text was updated successfully, but these errors were encountered: