This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
GREY-HAWK-REACH - Functionality of multicall is seriously limited due to usage of msg.value and missing payable modifiers #215
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Comments
github-actions
bot
added
the
Excluded
|
1 comment(s) were left on this issue during the judging contest. Trumpero commented:
|
sherlock-admin
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
GREY-HAWK-REACH
medium
Functionality of multicall is seriously limited due to usage of msg.value and missing payable modifiers
Summary
Missing
payablemodifier in LMPVaultRouterBase#redeem and #withdraw, alongside with usingmsg.valueoveraddress(this).balancein #_processEthIn, significantly restrict the utility ofmulticall.Vulnerability Detail
LMPVaultRouterBase inherits Multicall implementation forked from Uniswap V3. Uni's multicall is
payableand it arises an obvious issue of "msg.value in a loop", which in Uniswap's contracts is resolved by:address(this).balance(instead ofmsg.value) for native-token operations.payableto every function that is expected to be multicalled - to prevent these functions from reverting on therequire(msg.value == 0)check that every non-payable function has under the hood.https://github.com/Uniswap/v3-periphery/tree/main/contracts
Uniswap/v3-periphery#52
Impact
Tokemak's implementation lacks both of the aforementioned mitigations:
payablemodifier.msg.value.With
msg.value > 0, attempts tomulticallnon-payablewithdraw/redeemtogether with payabledeposit/mintwill revert. Multicalls that have more than onedepositormintin total will also revert.Examples:
Multicall A (msg.value == 1e18):
deposit- succeeds.withdraw- reverts because the function is not payable andmsg.value > 0.Multicall B (msg.value == 1e18):
mint- succeeds.deposit- reverts in line 120, becausemsg.valuehas already been used by themint:Code Snippet
LMPVaultRouterBase.sol#L73-L79
LMPVaultRouterBase.sol#L93-L99
LMPVaultRouterBase.sol#L111-L122
Tool used
Manual Review
Recommendation
Add
payablemodifier to LMPVaultRouterBase#redeem and #withdraw.Change
msg.valuetoaddress(this).balancein _processEthIn:function _processEthIn(ILMPVault vault) internal { // if any eth sent, wrap it first - if (msg.value > 0) { + if (address(this).balance > 0) { // if asset is not weth, revert if (address(vault.asset()) != address(weth9)) { revert InvalidAsset(); } // wrap eth - weth9.deposit{ value: msg.value }(); + weth9.deposit{ value: address(this).balance }(); } }The text was updated successfully, but these errors were encountered: