Closed sherlock-admin2 closed 5 months ago
2 comment(s) were left on this issue during the judging contest.
WangAudit commented:
I checked this on RemixIDE and actually the call to
vault.depositNative
will not send the msg.value cause it has decreased; therefore; the_amount
is bigger than msg.value (after sending fees); also I tested and depositNative won't revert onmsg.value == 0
check
takarez commented:
invalid; see 023
That's valid: msg.value
doesn't change on sending gas tokens out, it is a fixed incoming value for any function.
Native tokens wrap is a core feature of the protocol, it's intended to be used with erc20 == address(0)
.
bin2chen
medium
mTOFT when erc20==address(0) need to pay fees twice
Summary
In
mTOFT.wrap()
Due to incorrect implementation, need to pay fees twice to succeedVulnerability Detail
In
mTOFT.wrap()
, whenerc20==address(0)
, the payment process is as follows:_checkAndExtractFees()
:vault.registerFees{value: feeAmount}(feeAmount);
-> pay feesvault.depositNative{value: _amount}();
-> also contain fees_mint(_toAddress, _amount - _feeAmount);
The first step has already paid fees, the second step amount still contains fees
the codes as follows:
As mentioned above, suppose deposit
_amount = 10
,_feeAmount = 2
In the end:pay 4 fees
Impact
when erc20==address(0) need to pay fees twice
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/mTOFT.sol#L287
Tool used
Manual Review
Recommendation
Duplicate of #146