xiaoming90 - Residual ETH will not be sent back to users during the minting of wfCash #25
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
xiaoming90
high
Residual ETH will not be sent back to users during the minting of wfCash
Summary
Residual ETH will not be sent back to users, resulting in a loss of assets.
Vulnerability Detail
At Line 67, residual ETH within the
depositUnderlyingToken
function will be sent as Native ETH back to themsg.sender
, which is this wfCash Wrapper contract.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L67
Within the
depositUnderlyingToken
function Line 108 below, thereturnExcessWrapped
parameter is set tofalse
, which means it will not wrap the residual ETH, and that Native ETH will be sent back to the caller (wrapper contract)https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/AccountAction.sol#L108
balanceBefore = amount of WETH before the deposit, balanceAfter = amount of WETH after the deposit.
When the
_sendTokensToReceiver
is executed, these two values are going to be the same since it is Native ETH that is sent to the wrapper instead of WETH. As a result, the Native ETH that the wrapper received is not forwarded to the users.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Impact
Loss of assets as the residual ETH is not sent to the users.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L67
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/AccountAction.sol#L108
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Tool used
Manual Review
Recommendation
If the underlying is ETH, measure the Native ETH balance before and after the
depositUnderlyingToken
is executed. Forward any residual Native ETH to the users, if any.The text was updated successfully, but these errors were encountered: