You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
Potentially overpaying for vault shares due to the lack of incorporating native ETH into the required assets amount
Summary
Using native ETH to mint vault shares or deposit into a vault does not incorporate the native ETH amount into the required assets amount of vaultAsset (i.e., WETH) tokens, resulting in overpaying for the vault shares.
Vulnerability Detail
Minting LMPVault shares using the LMPVaultRouterBase.mint function allows the caller to provide native ETH. The received ETH is wrapped to WETH via the _processEthIn function and kept within the router contract. Subsequently, in line 34 of the mint function, vaultAsset (i.e., WETH) tokens are attempted to be pulled in from the caller (msg.sender). However, if the caller has already provided native ETH, the additional pulled-in WETH token amount assets does not consider the previously wrapped ETH amount, resulting in overpaying for the vault shares.
Impact
If the caller (msg.sender) has approved the LMPVaultRouter contract with sufficient WETH token spending allowance, pulling in the additional WETH tokens will succeed. However, as twice the amount of assets is pulled in and only assets is utilized by the vault, the remaining funds will be kept in the router contract, up for grabs for MEV bots or other actors (using the sweepToken function of the PeripheryPayments child contract).
Otherwise, if the router's spending allowance is insufficient, the transaction will revert.
Code Snippet
Both the mint and deposit functions of the LMPVaultRouterBase contract suffer from the same issue.
The provided native ETH (i.e., msg.value) is wrapped to WETH and remains in the router contract.
111: function _processEthIn(ILMPVault vault) internal {
112: // if any eth sent, wrap it first113: if (msg.value>0) {
114: // if asset is not weth, revert115: if (address(vault.asset()) !=address(weth9)) {
116: revertInvalidAsset();
117: }
118:
119: // wrap eth120: weth9.deposit{ value: msg.value }();
121: }
122: }
Consider using the native ETH, which gets wrapped as WETH, provided by the caller and deduct this amount from the required assets amount. This results in less funds being pulled in from the caller, correctly using the native ETH provided by the caller.
sherlock-admin
changed the title
Nice Maroon Frog - Potentially overpaying for vault shares due to the lack of incorporating native ETH into the required assets amount
berndartmueller - Potentially overpaying for vault shares due to the lack of incorporating native ETH into the required assets amount
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
berndartmueller
medium
Potentially overpaying for vault shares due to the lack of incorporating native ETH into the required
assets
amountSummary
Using native ETH to
mint
vault shares or deposit into a vault does not incorporate the native ETH amount into the requiredassets
amount ofvaultAsset
(i.e., WETH) tokens, resulting in overpaying for the vault shares.Vulnerability Detail
Minting
LMPVault
shares using theLMPVaultRouterBase.mint
function allows the caller to provide native ETH. The received ETH is wrapped to WETH via the_processEthIn
function and kept within the router contract. Subsequently, in line 34 of themint
function,vaultAsset
(i.e., WETH) tokens are attempted to be pulled in from the caller (msg.sender
). However, if the caller has already provided native ETH, the additional pulled-in WETH token amountassets
does not consider the previously wrapped ETH amount, resulting in overpaying for the vault shares.Impact
If the caller (
msg.sender
) has approved theLMPVaultRouter
contract with sufficient WETH token spending allowance, pulling in the additional WETH tokens will succeed. However, as twice the amount ofassets
is pulled in and onlyassets
is utilized by the vault, the remaining funds will be kept in the router contract, up for grabs for MEV bots or other actors (using thesweepToken
function of thePeripheryPayments
child contract).Otherwise, if the router's spending allowance is insufficient, the transaction will revert.
Code Snippet
Both the
mint
anddeposit
functions of theLMPVaultRouterBase
contract suffer from the same issue.src/vault/LMPVaultRouterBase.sol#L34
src/vault/LMPVaultRouterBase.sol#L54
src/vault/LMPVaultRouterBase._processEthIn
The provided native ETH (i.e.,
msg.value
) is wrapped to WETH and remains in the router contract.src/utils/PeripheryPayments.pullToken
Tool used
Manual Review
Recommendation
Consider using the native ETH, which gets wrapped as WETH, provided by the caller and deduct this amount from the required
assets
amount. This results in less funds being pulled in from the caller, correctly using the native ETH provided by the caller.Duplicate of #1
The text was updated successfully, but these errors were encountered: