Open sherlock-admin2 opened 9 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { This is a valid findings as the watson was able to explained how excess ETH will be stuck and not sent back to user as intended; hight findings}
The protocol team fixed this issue in PR/commit https://github.com/notional-finance/wrapped-fcash/pull/20.
The Lead Senior Watson signed-off on the fix.
xiaoming90
high
Residual ETH will not be sent back to users during the minting of wfCash
Summary
Residual ETH will not be sent back to users, resulting in a loss of assets.
Vulnerability Detail
At Line 67, residual ETH within the
depositUnderlyingToken
function will be sent as Native ETH back to themsg.sender
, which is this wfCash Wrapper contract.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L67
Within the
depositUnderlyingToken
function Line 108 below, thereturnExcessWrapped
parameter is set tofalse
, which means it will not wrap the residual ETH, and that Native ETH will be sent back to the caller (wrapper contract)https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/AccountAction.sol#L108
balanceBefore = amount of WETH before the deposit, balanceAfter = amount of WETH after the deposit.
When the
_sendTokensToReceiver
is executed, these two values are going to be the same since it is Native ETH that is sent to the wrapper instead of WETH. As a result, the Native ETH that the wrapper received is not forwarded to the users.https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Impact
Loss of assets as the residual ETH is not sent to the users.
Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L67
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/actions/AccountAction.sol#L108
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/wrapped-fcash/contracts/wfCashLogic.sol#L331
Tool used
Manual Review
Recommendation
If the underlying is ETH, measure the Native ETH balance before and after the
depositUnderlyingToken
is executed. Forward any residual Native ETH to the users, if any.