feelereth - Risk of ETH becoming locked in the contract

[sherlock-admin2]

feelereth

high

Risk of ETH becoming locked in the contract

Summary

risk of ETH becoming locked in the contract if the underlying token is WETH (wrapped ETH)

Vulnerability Detail

The key parts of the code related to this risk are:

1. The withdraw function burns the sender's shares and redeems the corresponding bTokens: Link 1 Link 2
2. It then transfers the underlying tokens (including WETH) directly to the sender: Link 3

The issue is that if uToken is WETH, the safeTransfer will send ETH directly to the contract. Since the contract does not implement any logic to withdraw ETH, it could become stuck.

Example:

1. User deposits 100 WETH into SoftVault
2. 100 bWETH tokens are minted and sent to user
3. User withdraws 50 bWETH
4. 50 WETH is redeemed from bToken and sent as ETH to the SoftVault contract
5. The 50 ETH is now stuck in the contract

Impact

ETH deposits would be unusable and locked forever

Code Snippet

https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/vault/SoftVault.sol#L125 https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/vault/SoftVault.sol#L128-L129 https://github.com/sherlock-audit/2023-07-blueberry/blob/main/blueberry-core/contracts/vault/SoftVault.sol#L142

Tool used

Manual Review

Recommendation

Implement a withdrawal pattern to allow the owner to sweep stuck ETH.

[sherlock-admin2]

2 comment(s) were left on this issue during the judging contest.

0xyPhilic commented:

invalid because it is not possible to transfer ETH - if the underlying is WETH it is WETH which is transferred across the whole flow

Kral01 commented:

this is not a valid issue