You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
sherlock-admin opened this issue
Aug 30, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
wETH deposited/minted via LMPVaultRouterBase is taken twice from msg.sender if he chooses to deposit with msg.value
Summary
LMPVaultRouterBase offers the user the option to send ETH with his calls to mint/deposit. This msg.value will be deposited into the wETH contract yet it will not be used for minting vault shares, instead the contract pulls the tokens required for minting vault shares from the user again, making him pay twice if he has wETH in his wallet. The wETH stranded in the contract can be easily stolen by anyone.
function _processEthIn(ILMPVault vault) internal {
// if any eth sent, wrap it firstif (msg.value>0) {
// if asset is not weth, revertif (address(vault.asset()) !=address(weth9)) {
revertInvalidAsset();
}
// wrap eth
weth9.deposit{ value: msg.value }();
}
}
as you can see, when minting/depositing, the contract first converts the msg.value into wETH if the vault.asset is wETH.
The contract receives this wETH but it does not use it, instead it pulls the vaultAsset directly from the msg.sender via pullToken:
function pullToken(IERC20token, uint256amount, addressrecipient) publicpayable {
token.safeTransferFrom(msg.sender, recipient, amount);
}
The LMPVaultRouterBase inherits from PeripheryPayments which has function that lets anyone steal the wETH in the contract:
function sweepToken(IERC20token, uint256amountMinimum, addressrecipient) publicpayable {
uint256 balanceToken = token.balanceOf(address(this));
if (balanceToken < amountMinimum) revertInsufficientToken();
if (balanceToken >0) {
token.safeTransfer(recipient, balanceToken);
}
}
Impact
possible loss of funds for users because funds might be pulled twice from the user
use the wETH that the contract receives from depositing into wETH contract to mint shares if the vaultAsset is wETH instead of pulling the tokens from the user
sherlock-admin2
changed the title
Original Fossilized Seagull - wETH deposited/minted via LMPVaultRouterBase is taken twice from msg.sender if he chooses to deposit with msg.value
vagrant - wETH deposited/minted via LMPVaultRouterBase is taken twice from msg.sender if he chooses to deposit with msg.value
Oct 3, 2023
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
vagrant
high
wETH deposited/minted via LMPVaultRouterBase is taken twice from msg.sender if he chooses to deposit with msg.value
Summary
LMPVaultRouterBase offers the user the option to send ETH with his calls to mint/deposit. This msg.value will be deposited into the wETH contract yet it will not be used for minting vault shares, instead the contract pulls the tokens required for minting vault shares from the user again, making him pay twice if he has wETH in his wallet. The wETH stranded in the contract can be easily stolen by anyone.
Vulnerability Detail
LMPVaultRouterBase mint() and deposit():
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23
_processEthIn():
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111
as you can see, when minting/depositing, the contract first converts the msg.value into wETH if the vault.asset is wETH.
The contract receives this wETH but it does not use it, instead it pulls the vaultAsset directly from the msg.sender via pullToken:
The LMPVaultRouterBase inherits from PeripheryPayments which has function that lets anyone steal the wETH in the contract:
Impact
possible loss of funds for users because funds might be pulled twice from the user
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L23
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/vault/LMPVaultRouterBase.sol#L111
Tool used
Manual Review
Recommendation
use the wETH that the contract receives from depositing into wETH contract to mint shares if the vaultAsset is wETH instead of pulling the tokens from the user
Duplicate of #1
The text was updated successfully, but these errors were encountered: