Attacker can mint more shares when calling the BaseLSTAdapter.prefundedDeposit()
Summary
From Tranche.issue(), BaseLST.prefundedDeposit() is called, which checks how many shares need to be minted by subtracting bufferEth from the contract balance.
Any user can get ahead of another and spend more than they have sent funds
Vulnerability Detail
An attacker can get ahead of the user by calling TrancheRouter.issue() > Tranche.issue() > BaseLSTAdapter.prefundedDeposit() chain and use both his own and the user's assets for a mint
Impact
An attacker can get ahead of the user to call prefundedDeposit and use his assets for a mint
Hajime
medium
Attacker can mint more shares when calling the
BaseLSTAdapter.prefundedDeposit()Summary
From
Tranche.issue(),BaseLST.prefundedDeposit()is called, which checks how many shares need to be minted by subtractingbufferEthfrom the contract balance.Any user can get ahead of another and spend more than they have sent funds
Vulnerability Detail
An attacker can get ahead of the user by calling
TrancheRouter.issue() > Tranche.issue() > BaseLSTAdapter.prefundedDeposit()chain and use both his own and the user's assets for a mintImpact
An attacker can get ahead of the user to call prefundedDeposit and use his assets for a mint
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L179
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/Tranche.sol#L208
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/adapters/BaseLSTAdapter.sol#L74
Tool used
Manual Review
Recommendation
use verification of who owns assets