kaysoft - Loss of ETH when user deposits stEth or WETH but msg.value is not zero #39
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Sponsor Disputed
The sponsor disputed this issue's validity
Comments
sherlock-admin2
changed the title
sherlock-admin3
added
the
Sponsor Disputed
github-actions
bot
changed the title
github-actions
bot
added
the
Excluded
sherlock-admin3
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
kaysoft
Medium
Loss of ETH when user deposits stEth or WETH but msg.value is not zero
Summary
When a user tries to deposit
stEthorWETHtoken butmsg.valueis greater than zero the ETH will be lost to the DepositWrapper.sol contract.Vulnerability Detail
The deposit function accepts deposits of ETH, stETH, WETH and wstETh which are finally converted to wstETH. When a user tries to deposit any of
stETH,WETHandwstETh, there is no check to ensure thatmsg.valuesent along with the transaction is zero. This could cause users to lose ETH to the DepositWrapper.sol smart contract when trying to deposit.Impact
Loss of ETH when user deposits stEth or WETH but msg.value is not zero
Code Snippet
https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/utils/DepositWrapper.sol#L42C5-L75C6
Tool used
Manual Review
Recommendation
Consider validating that
msg.value == 0when a user tries to deposit eitherstEthorWETHtokens this way:File: DepositWrapper.sol function deposit( address to, address token, uint256 amount, uint256 minLpAmount, uint256 deadline ) external payable returns (uint256 lpAmount) { address wrapper = address(this); address sender = msg.sender; address[] memory tokens = vault.underlyingTokens(); if (tokens.length != 1 || tokens[0] != wsteth) revert InvalidTokenList(); if (amount == 0) revert InvalidAmount(); ++ if (token != address(0)) { ++ require(msg.value == 0, "Loss of Ether"); ++ } if (token == steth) { IERC20(steth).safeTransferFrom(sender, wrapper, amount); amount = _stethToWsteth(amount); } else if (token == weth) { IERC20(weth).safeTransferFrom(sender, wrapper, amount); amount = _wethToWsteth(amount); } else if (token == address(0)) { if (msg.value != amount) revert InvalidAmount(); amount = _ethToWsteth(amount); } else if (wsteth == token) { IERC20(wsteth).safeTransferFrom(sender, wrapper, amount); } else revert InvalidToken(); IERC20(wsteth).safeIncreaseAllowance(address(vault), amount); uint256[] memory amounts = new uint256[](1); amounts[0] = amount; (, lpAmount) = vault.deposit(to, amounts, minLpAmount, deadline); uint256 balance = IERC20(wsteth).balanceOf(wrapper); if (balance > 0) IERC20(wsteth).safeTransfer(sender, balance); emit DepositWrapperDeposit(sender, token, amount, lpAmount, deadline); }The text was updated successfully, but these errors were encountered: