You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
User can lost funds during deposit() in LMPVaultRouter
Summary
When depositing with ETH, LMPVaultRouterBase's deposit() function can also pull WETH from caller if the caller had approved WETH back in some time.
Vulnerability Detail
1 - Alice wants to deposit 1 ETH to mint shares, as WETH and ETH are 1:1, so inside deposit() of LMPVaultRouterBase _processEthIn() converts deposited ETH into WETH. The functions will be called with params like below.
deposit(wethVaultAddress,userAddress,1e18,1e18)
2 - Assuming some users who have WETH and had approved to LMPVaultRouter back in some time. In spite of getting ETH, following line also pulls 1 WETH from user.
pullToken(vaultAsset, amount, address(this));
3 - The user will get shares of 1 ETH, and user will lose 1 WETH unknowingly.
The WETH pulled from user will remain inside the LMPVaultRouter unless someone/BOT calls sweepToken() and gets those WETH.
sherlock-admin2
changed the title
Joyous Plastic Mallard - User can lost funds during deposit() in LMPVaultRouter
harisnabeel - User can lost funds during deposit() in LMPVaultRouter
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
harisnabeel
high
User can lost funds during deposit() in LMPVaultRouter
Summary
When depositing with ETH, LMPVaultRouterBase's deposit() function can also pull WETH from caller if the caller had approved WETH back in some time.
Vulnerability Detail
1 - Alice wants to deposit 1 ETH to mint shares, as WETH and ETH are 1:1, so inside deposit() of LMPVaultRouterBase
_processEthIn()
converts deposited ETH into WETH. The functions will be called with params like below.2 - Assuming some users who have WETH and had approved to LMPVaultRouter back in some time. In spite of getting ETH, following line also pulls 1 WETH from user.
3 - The user will get shares of 1 ETH, and user will lose 1 WETH unknowingly.
The WETH pulled from user will remain inside the LMPVaultRouter unless someone/BOT calls sweepToken() and gets those WETH.
References:
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L51
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L54
Impact
Those users who have WETH in their account and had approved WETH to LMPVaultRouter will lose WETH when depositing with ETH.
Code Snippet
Tool used
Manual Review
Recommendation
Only pull WETH from user when msg.value < amount.
Make sure to pull the difference between msg.value and amount like below:
Duplicate of #1
The text was updated successfully, but these errors were encountered: