search

sherlock-audit / 2024-06-leveraged-vaults-judging

9 stars 8 forks source link

Hearmen - EtherFiLib_initiateWithdrawImpl approve to wrong address lead to withdraw fail #98

Closed sherlock-admin2 closed 2 months ago

sherlock-admin2 commented 2 months ago

Hearmen

High

EtherFiLib_initiateWithdrawImpl approve to wrong address lead to withdraw fail

Summary

Issue High: EtherFiLib_initiateWithdrawImpl approve to wrong address lead to withdraw fail

Vulnerability Detail

In the contract EtherFiLib.sol, the function _initiateWithdrawImpl approve to wrong address which will lead to withdraw fail

_initiateWithdrawImpl approve eETHReceived eEth to address LiquidityPool

EtherFiLib

function _initiateWithdrawImpl(uint256 weETHToUnwrap) internal returns (uint256 requestId) {
    uint256 eETHReceived = weETH.unwrap(weETHToUnwrap);
    eETH.approve(address(LiquidityPool), eETHReceived);
    return LiquidityPool.requestWithdraw(address(this), eETHReceived);
}

and in LiquidityPool.requestWithdraw , eETH will transferFrom sender to withdrawRequestNFT , which will fail due to not approved

LiquidityPool

function requestWithdraw(address recipient, uint256 amount) public whenNotPaused returns (uint256) {
    uint256 share = sharesForAmount(amount);
    if (amount > type(uint96).max || amount == 0 || share == 0) revert InvalidAmount();

    // transfer shares to WithdrawRequestNFT contract from this contract
    eETH.transferFrom(msg.sender, address(withdrawRequestNFT), amount);

    uint256 requestId = withdrawRequestNFT.requestWithdraw(uint96(amount), uint96(share), recipient, 0);

    emit Withdraw(msg.sender, recipient, amount, SourceOfFunds.EETH);

    return requestId;
}

Impact

DOS

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/strategies/SimpleDVTStakingStrategy.sol#L36https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/EtherFi.sol#L24-L27

https://github.com/etherfi-protocol/smart-contracts/blob/master/src/LiquidityPool.sol#L202-L214

Tool used

Manual Review

Recommendation

change the function to 


function _initiateWithdrawImpl(uint256 weETHToUnwrap) internal returns (uint256 requestId) {
    uint256 eETHReceived = weETH.unwrap(weETHToUnwrap);
    eETH.approve(address(WithdrawRequestNFT), eETHReceived);
    return LiquidityPool.requestWithdraw(address(this), eETHReceived);
}
sherlock-admin2 commented 2 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

EtherFiLib_initiateWithdrawImpl did not approve to wrong address