n33k - LMPVaultRouterBase: Native ETH lost in router when mint&deposit

[sherlock-admin]

n33k

high

LMPVaultRouterBase: Native ETH lost in router when mint&deposit

Summary

LMPVaultRouter inherits LMPVaultRouterBase's payable mint and deposit functions. The native ETH handling logics in mint and deposit are faulty.

Vulnerability Detail

Take deposit as example. It calls _processEthIn to handle eth values in transaction.

    function deposit(
        ILMPVault vault,
        address to,
        uint256 amount,
        uint256 minSharesOut
    ) public payable virtual override returns (uint256 sharesOut) {
        // handle possible eth
        _processEthIn(vault);

        IERC20 vaultAsset = IERC20(vault.asset());
        pullToken(vaultAsset, amount, address(this));

        return _deposit(vault, to, amount, minSharesOut);
    }

_processEthIn wraps ETH to WETH. The WETH will be used for LMPVault depositing and is already in router contract.

    function _processEthIn(ILMPVault vault) internal {
        // if any eth sent, wrap it first
        if (msg.value > 0) {
            // if asset is not weth, revert
            if (address(vault.asset()) != address(weth9)) {
                revert InvalidAsset();
            }

            // wrap eth
            weth9.deposit{ value: msg.value }();
        }
    }

After _processEthIn, pullToken is called redundantly to pull WETH from user and the LMPVault is using the pulled tokens to deposit underlying. The wrapped ETH in _processEthIn is not used and will be left in router.

mint in LMPVaultRouterBase has the same problem.

Impact

Native ETH sent by user is not used for minting LMPVault shares and will be left in router contract. The left assets in router can be taken out by anyone.

Code Snippet

https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23-L57

Tool used

Manual Review

Recommendation

Fix the logics in mint and deposit.

Duplicate of #1