search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

Bauer - PufETHAdapter is unable to stake #38

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 5 months ago

Bauer

medium

PufETHAdapter is unable to stake

Summary

The protocol fails to stake because it does not correctly pass the parameters when calling the PUFFER_DEPOSITOR.depositStETH() function.

Vulnerability Detail

In the PufETHAdapter._stake() function, the protocol calls PUFFER_DEPOSITOR.depositStETH() to deposit stETH into the PUFFER_DEPOSITOR contract. 

  IWETH9(Constants.WETH).withdraw(stakeAmount);
        uint256 _stETHAmt = STETH.balanceOf(address(this));
        STETH.submit{value: stakeAmount}(address(this));
        _stETHAmt = STETH.balanceOf(address(this)) - _stETHAmt;
        if (_stETHAmt == 0) revert InvariantViolation();

        // Stake stETH to PufferDepositor
        uint256 _pufETHAmt = PUFFER_DEPOSITOR.depositStETH(Permit(block.timestamp, _stETHAmt, 0, 0, 0));

It's important to note that depositStETH() protocol only passes one argument, whereas the depositStETH() function actually requires two arguments. https://etherscan.deth.net/address/0x4aa799c5dfc01ee7d790e3bf1a7c2257ce1dceff

     */
    function depositStETH(Permit calldata permitData, address recipient)
        external
        restricted
        returns (uint256 pufETHAmount)
    {
        try ERC20Permit(address(_ST_ETH)).permit({
            owner: msg.sender,
            spender: address(this),
            value: permitData.amount,
            deadline: permitData.deadline,
            v: permitData.v,
            s: permitData.s,
            r: permitData.r
        }) { } catch { }

        // Transfer stETH from user to this contract. The amount received here can be 1-2 wei lower than the actual permitData.amount
        SafeERC20.safeTransferFrom(IERC20(address(_ST_ETH)), msg.sender, address(this), permitData.amount);

        // The PufferDepositor is not supposed to hold any stETH, so we sharesOf(PufferDepositor) to the PufferVault immediately
        return PUFFER_VAULT.depositStETH(_ST_ETH.sharesOf(address(this)), recipient);
    }

This discrepancy prevents the protocol from staking.

Impact

Staking cannot be performed

Code Snippet

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol#L82

Tool used

Manual Review

Recommendation

The suggested fix is to pass the correct parameters according to the correct implementation.

Duplicate of #21