-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xiaoming90 - Residual ETH not sent back when batchBalanceAndTradeAction
executed
#30
Comments
1 comment(s) were left on this issue during the judging contest. takarez commented:
|
Is there a POC for this? My reading is that
We explicitly ask for the residual cash |
Ok, upon further clarification I see where the issue stems from. |
batchBalanceAndTradeAction
executedbatchBalanceAndTradeAction
executed
* fix: add test * fix: add second test * fix: sherlock-audit/2023-12-notional-update-5-judging#25 sherlock-audit/2023-12-notional-update-5-judging#30 update eth refund logic * fix: adding another test
The protocol team fixed this issue in PR/commit notional-finance/wrapped-fcash#20. |
The Lead Senior Watson signed-off on the fix. |
xiaoming90
high
Residual ETH not sent back when
batchBalanceAndTradeAction
executedSummary
Residual ETH was not sent back when
batchBalanceAndTradeAction
function was executed, resulting in a loss of assets.Vulnerability Detail
Per the comment at Line 122 below, when there is residual ETH, native ETH will be sent from Notional V3 to the wrapper contract. In addition, per the comment at Line 109, it is often the case to have an excess amount to be refunded to the users.
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L122
This is due to how the
depositUnderlyingExternal
function within Notional V3 is implemented. ThebatchBalanceAndTradeAction
will trigger thedepositUnderlyingExternal
function. Within thedepositUnderlyingExternal
function at Line 196, excess ETH will be transferred back to the account (wrapper address) in Native ETH term.Note that for other ERC20 tokens, such as DAI or USDC, the excess will be added to the wrapper's cash balance, and this issue will not occur.
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/TokenHandler.sol#L196
In the comment, it mentioned that any residual ETH in native token will be wrapped back to WETH by the
_sendTokensToReceiver
.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L122
However, the current implementation of the
_sendTokensToReceiver
, as shown below, does not wrap the Native ETH to WETH. Thus, the residual ETH will not be sent back to the users and stuck in the contract.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Impact
Loss of assets as the residual ETH is not sent to the users.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L122
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/internal/balances/TokenHandler.sol#L196
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Tool used
Manual Review
Recommendation
If the underlying is ETH, measure the Native ETH balance before and after the
batchBalanceAndTradeAction
is executed. Forward any residual Native ETH to the users, if any.The text was updated successfully, but these errors were encountered: