search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

PNS - `PufETHAdapter` use wrong deposit function signature from outdated depositor interface #70

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

PNS

medium

PufETHAdapter use wrong deposit function signature from outdated depositor interface

Summary

The PufETHAdapter contract in the _stake function uses the Puffer protocol's depositor to deposit funds via the depositStETH() function. However, the function signature used in the local interface does not match the current version deployed on the mainnet, leading to potential issues when calling the function.

Vulnerability Detail

The PufETHAdapter relies on a local interface for the depositor, which is initialized with a constant address. However, the contract at this address has been updated to a new version (v2), where the function signature of depositStETH() has been changed and does not inherit from the previous version.

In the local interface, the depositStETH() function is assumed to have the signature from v1, but the contract on the mainnet now has a different signature in v2.

Constant Initialization and Local Interface:

File: napier-uups-adapters/src/Constants.sol
18: // @notice puffer depositor address on mainnet
19: address constant PUF_DEPOSITOR = 0x4aA799C5dfc01ee7d790e3bf1a7C2257CE1DcefF;

https://github.com/sherlock-audit/2024-05-napier-update/blob/c31af59c6399182fd04b40530d79d98632d2bfa7/napier-uups-adapters/src/Constants.sol#L19

File: napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol
28:     /// @notice Puffer Depositor
29:     IPufferDepositor constant PUFFER_DEPOSITOR = IPufferDepositor(Constants.PUF_DEPOSITOR);

Incorrect Function Call in _stake:

File: napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol
81:         // Stake stETH to PufferDepositor
82:         uint256 _pufETHAmt = PUFFER_DEPOSITOR.depositStETH(Permit(block.timestamp, _stETHAmt, 0, 0, 0)); //@audit wrong function signature

https://github.com/sherlock-audit/2024-05-napier-update/blob/c31af59c6399182fd04b40530d79d98632d2bfa7/napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol#L82

Updated Function Signature in v2:

67:    function depositStETH(Permit calldata permitData, address recipient)

The mismatch in function signatures can lead to failed transactions when attempting to deposit assets using the PufETHAdapter.

proxy:

https://etherscan.io/address/0x4aa799c5dfc01ee7d790e3bf1a7c2257ce1dceff#readProxyContract

implementation:

https://etherscan.io/address/0x8c9517a9e99c74cd072a118d3dc6b4f3217f8b9b#code

Impact

This vulnerability can cause deposit transactions to fail, preventing users from depositing their assets as intended (DoS).

Code Snippet

Here is the incorrect function call in the PufETHAdapter:

File: napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol
81:         // Stake stETH to PufferDepositor
82:         uint256 _pufETHAmt = PUFFER_DEPOSITOR.depositStETH(Permit(block.timestamp, _stETHAmt, 0, 0, 0)); //@audit wrong function signature

And the expected correct function signature in the updated v2 contract:

67:    function depositStETH(Permit calldata permitData, address recipient)

Tool used

Manual Review

Recommendation

Update the Adapter to Match the New Interface

  1. Update the Local Interface: Ensure that the local interface used in PufETHAdapter matches the function signatures of the updated v2 contract.

  2. Modify the _stake Function: Adjust the _stake function in PufETHAdapter to use the correct function signature for depositStETH(), including the additional recipient parameter.

Example of Corrected Code

Updated Local Interface:

interface IPufferDepositor {
    function depositStETH(Permit calldata permitData, address recipient) external returns (uint256);
}

Corrected _stake Function:

File: napier-uups-adapters/src/adapters/puffer/PufETHAdapter.sol
81:         // Stake stETH to PufferDepositor
82:         uint256 _pufETHAmt = PUFFER_DEPOSITOR.depositStETH(Permit(block.timestamp, _stETHAmt, 0, 0, 0), address(this)); //@audit correct function signature

By ensuring that the PufETHAdapter uses the correct function signatures, the protocol can prevent failed transactions and maintain proper functionality.

Duplicate of #21