Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L122-L149
At _withdrawFromYieldPool() ETH transfer return value is not checked as the return statement at line #141 breaks the return value checking.
_withdrawFromYieldPool()
function _withdrawFromYieldPool( address _asset, uint256 _amount, address _to ) internal override returns (uint256) { address LIDO = _addressesProvider.getAddress('LIDO'); if (_asset == address(0)) { // Case of ETH withdraw request from user, so exchange stETH -> ETH via curve uint256 receivedETHAmount = CurveswapAdapter.swapExactTokensForTokens( _addressesProvider, _addressesProvider.getAddress('STETH_ETH_POOL'), LIDO, ETH, _amount, 200 ); // send ETH to user (bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}(''); return receivedETHAmount; // <-------------- @audit-info require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID); } else { // Case of stETH withdraw request from user, so directly send require(_asset == LIDO, Errors.VT_COLLATERAL_WITHDRAW_INVALID); IERC20(LIDO).safeTransfer(_to, _amount); } return _amount; }
Manual Review
Shift the return statement on line number:142
Duplicate of https://github.com/code-423n4/2022-05-sturdy-findings/issues/157
sforman2000
commented
2 years ago sforman2000
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L122-L149
Vulnerability details
Impact
At
_withdrawFromYieldPool()ETH transfer return value is not checked as the return statement at line #141 breaks the return value checking.Proof of Concept
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L122-L149
Tools Used
Manual Review
Recommended Mitigation Steps
Shift the return statement on line number:142