You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
LMPVaultRouterBase: Native ETH lost in router when mint&deposit
Summary
LMPVaultRouter inherits LMPVaultRouterBase's payablemint and deposit functions. The native ETH handling logics in mint and deposit are faulty.
Vulnerability Detail
Take deposit as example. It calls _processEthIn to handle eth values in transaction.
function deposit(
ILMPVault vault,
addressto,
uint256amount,
uint256minSharesOut
) publicpayablevirtualoverridereturns (uint256sharesOut) {
// handle possible eth_processEthIn(vault);
IERC20 vaultAsset =IERC20(vault.asset());
pullToken(vaultAsset, amount, address(this));
return_deposit(vault, to, amount, minSharesOut);
}
_processEthIn wraps ETH to WETH. The WETH will be used for LMPVault depositing and is already in router contract.
function _processEthIn(ILMPVault vault) internal {
// if any eth sent, wrap it firstif (msg.value>0) {
// if asset is not weth, revertif (address(vault.asset()) !=address(weth9)) {
revertInvalidAsset();
}
// wrap eth
weth9.deposit{ value: msg.value }();
}
}
After _processEthIn, pullToken is called redundantly to pull WETH from user and the LMPVault is using the pulled tokens to deposit underlying. The wrapped ETH in _processEthIn is not used and will be left in router.
mint in LMPVaultRouterBase has the same problem.
Impact
Native ETH sent by user is not used for minting LMPVault shares and will be left in router contract. The left assets in router can be taken out by anyone.
sherlock-admin2
changed the title
Blurry Green Yak - LMPVaultRouterBase: Native ETH lost in router when mint&deposit
n33k - LMPVaultRouterBase: Native ETH lost in router when mint&deposit
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
n33k
high
LMPVaultRouterBase: Native ETH lost in router when mint&deposit
Summary
LMPVaultRouter
inheritsLMPVaultRouterBase
'spayable
mint
anddeposit
functions. The native ETH handling logics inmint
anddeposit
are faulty.Vulnerability Detail
Take
deposit
as example. It calls_processEthIn
to handle eth values in transaction._processEthIn
wraps ETH to WETH. The WETH will be used for LMPVault depositing and is already in router contract.After
_processEthIn
,pullToken
is called redundantly to pull WETH from user and the LMPVault is using the pulled tokens to deposit underlying. The wrapped ETH in_processEthIn
is not used and will be left in router.mint
inLMPVaultRouterBase
has the same problem.Impact
Native ETH sent by user is not used for minting LMPVault shares and will be left in router contract. The left assets in router can be taken out by anyone.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23-L57
Tool used
Manual Review
Recommendation
Fix the logics in
mint
anddeposit
.Duplicate of #1
The text was updated successfully, but these errors were encountered: