Solidity_ATL_Team_1 - Fund loss when calling `swapUnderlyingForPt` as excess ETH isn't refunded automatically

[sherlock-admin2]

Solidity_ATL_Team_1

medium

Fund loss when calling swapUnderlyingForPt as excess ETH isn't refunded automatically

Summary

When a user calls swapUnderlyingForPt they can deposit ETH in return for a desired amount of principle token (PT). In some cases, the maximum amount of the underlying asset (underlyingInMax), is never fully used in the swap execution. This results in access ETH being left in the Napier Router Contract. Any user can attempt to call refundEth() but a MEV bot can frontrun this unrestricted function, successfully stealing any user's refund.

Vulnerability Detail

https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/v1-pool/src/NapierRouter.sol#L239-L246

User's calls swapUnderlyingForPt and swap results in excess Eth being left in the Napier router contract

https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/v1-pool/src/base/PeripheryPayments.sol#L67-L69

User calls refundEth() in an attempt to claim their excess Eth.

https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/v1-pool/src/base/PeripheryPayments.sol#L67-L69

MEV bot frontruns the user's refundEth() call and successfully steals the user's Eth.

Impact

Users will not be able to successfully claim their refunds, incurring a partial fund loss.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/v1-pool/src/base/PeripheryPayments.sol#L67-L69

Tool used

Manual Review

Recommendation

The recommendation is to automatically invoke refundEth() when user's call swapUnderlyingForPt and there is excess ETH left in the Napier router contract

Duplicate of #81

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid: medium(2)