Closed sherlock-admin closed 5 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
This is user input mistake
takarez commented:
valid: high(3)
Escalate.
In the report, the user intends to mint 100 ETH worth of PT/YT. Although this is a user mistake, as the user should be sending 100 Native ETH instead of 99 Native ETH, the code should revert instead of silently pulling another 100 WETH from the user's wallet address when the protocol receives insufficient ETH. So, there is a logic error here.
This results in the protocol receiving 199 ETH from the users while only using 100 ETH for the mint process, leaving behind 99 ETH sitting in the Router contract that anyone can steal. As a result, the user lost 99 ETH, a significant loss of funds in this example.
Note that the victim would not have known that their 99 ETH is sitting in the Router contract because the extra ETH is silently pulled from their wallet. By the time the victim is aware of the reduced ETH in their wallet, it is already too late. MEV and bots already retrieved the remaining ETH on the Router immediately after Bob's transaction.
Sherlock's judging rule below states that issues related to users' mistakes can be accepted if they could lead to a significant loss of funds. Thus, this issue is valid and justifiable as a High issue.
User input validation: User input validation to prevent user mistakes is not considered a valid issue. However, if a user input could result in a major protocol malfunction or significant loss of funds could be a valid high
Escalate.
In the report, the user intends to mint 100 ETH worth of PT/YT. Although this is a user mistake, as the user should be sending 100 Native ETH instead of 99 Native ETH, the code should revert instead of silently pulling another 100 WETH from the user's wallet address when the protocol receives insufficient ETH. So, there is a logic error here.
This results in the protocol receiving 199 ETH from the users while only using 100 ETH for the mint process, leaving behind 99 ETH sitting in the Router contract that anyone can steal. As a result, the user lost 99 ETH, a significant loss of funds in this example.
Note that the victim would not have known that their 99 ETH is sitting in the Router contract because the extra ETH is silently pulled from their wallet. By the time the victim is aware of the reduced ETH in their wallet, it is already too late. MEV and bots already retrieved the remaining ETH on the Router immediately after Bob's transaction.
Sherlock's judging rule below states that issues related to users' mistakes can be accepted if they could lead to a significant loss of funds. Thus, this issue is valid and justifiable as a High issue.
User input validation: User input validation to prevent user mistakes is not considered a valid issue. However, if a user input could result in a major protocol malfunction or significant loss of funds could be a valid high
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
@xiaoming9090 There is no malfunction of protocol here. This should remain invalid.
@xiaoming9090 There is no malfunction of protocol here. This should remain invalid.
This report and my earlier response above have clearly demonstrated the loss of funds for the users. Thus, it should be valid.
I disagree with the escalation. Still seems like a user input mistake to me.
Sherlock's judging rule below states that issues related to users' mistakes can be accepted if they could lead to a significant loss of funds. Thus, this issue is valid and justifiable as a High issue.
User input validation: User input validation to prevent user mistakes is not considered a valid issue. However, if a user input could result in a major protocol malfunction or significant loss of funds could be a valid high Taken from https://docs.sherlock.xyz/audits/judging/judging
A mistake in user input does not necessarily mean the issue is invalid in Sherlock. In this case, it is a combination of a user's mistake and logic error in the implementation, which led to a loss of funds. Also, Sherlock's judging rule below states that issues related to users' mistakes can be accepted up to High if they could lead to a loss of funds.
User input validation: User input validation to prevent user mistakes is not considered a valid issue. However, if a user input could result in a major protocol malfunction or significant loss of funds could be a valid high
The rule quoted concerns a loss/protocol malfunction on a higher level than for a user. I will make the above rule clearer.
Nevertheless, this is a user mistake and not a valid issue. Planning to reject the escalation and leave the issue as is.
Result: Invalid Unique
xiaoming90
high
Tranche Router silently pulls WETH from users
Summary
Tranche Router will silently pull WETH from users if insufficient native ETH being sent to the contract, but did not refund back the unused native ETH at the end, leading to loss of assets for the affected users.
Vulnerability Detail
Assume that the
underlyingAmount
is 100 ETH, but the amount of native ETH sent to the contract is 99 ETH or any amount less than 100 ETH. Instead of reverting because of insufficient native ETH being sent to the contract, the code at Line 53 will silently be executed, attempting to pull 100 WETH from the user's account (It is common for a wallet to grant max allowance to Router in the past transactions).The 100 WETH will be sent to the tranche to mint PY + YT. However, the issue is that the unused 99 ETH on the Router is not swept back to the user's account at the end of the TX. Thus, anyone else can obtain the 99 ETH that resides on the Router.
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/TrancheRouter.sol#L53
Impact
Loss of assets for the affected users.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/v1-pool/src/TrancheRouter.sol#L53
Tool used
Manual Review
Recommendation
Consider making the following changes so that it will not silently pull WETH from the users if insufficient ETH is sent.
The above measure has already been implemented in the
PeripheryPayments._pay
function and the risk has been understood and documented in Line 95 below. However, this measure is not consistently applied to the other part of the protocol.