duc - Incorrect handling of ETH when interacting with the LMPVaultRouterBase.deposit()

[sherlock-admin2]

duc

medium

Incorrect handling of ETH when interacting with the LMPVaultRouterBase.deposit()

Summary

Read the Detailed Description section

Vulnerability Detail

The purpose of the LMPVaultRouterBase.deposit() function is to facilitate the depositing of a specified amount into an ERC4626 vault, allowing the user to receive an expected minimum of minSharesOut shares in return.

function deposit(
    ILMPVault vault,
    address to,
    uint256 amount,
    uint256 minSharesOut
) public payable virtual override returns (uint256 sharesOut) {
    // Handling possible ETH
    _processEthIn(vault);

    IERC20 vaultAsset = IERC20(vault.asset());
    pullToken(vaultAsset, amount, address(this));

    return _deposit(vault, to, amount, minSharesOut);
}

At the beginning of the function, the internal function _processEthIn() is invoked to manage any ETH sent along with the function call. This internal function wraps the msg.value ETH into WETH if the designated LMPVault utilizes WETH as its baseAsset. However, a flaw arises where, even after wrapping the msg.value into WETH, the function still requires the sender to transfer the amount of WETH using the pullToken() function, rather than amount - msg.value. Consequently, this leads to a loss for the sender as the attached ETH remains unused.

A similar issue is also present in the LMPVaultBase.mint() function.

Impacts

Senders could experience financial losses.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L44-L57
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23-L41

Tool used

Manual Review

Recommendation

It is recommended to modify the logic to ensure that users transfer amount - msg.value when the LMPVault utilizes WETH as its base asset.

Duplicate of #1