Closed sherlock-admin2 closed 2 months ago
Big Admiral Dove
Low/Info
An ETH repayer will receive leftover assets as WETH instead of ETH.
The NFTPositionManagerSetters::_repay() function refunds the leftover ERC20 assets to the sender after repayment. (core/positions/NFTPositionManagerSetters.sol#L127-L129)
NFTPositionManagerSetters::_repay()
For native ETH, as the ETHs provided to the NFTPositionManager::repay() function are converted to WETH for repayment, the leftover asset is also WETH.
NFTPositionManager::repay()
By leftover refunding, the sender will receive WETHs instead of ETH.
Manual Review
Modify the NFTPositionManagerSetters::_repay() function like below:
function _repay(AssetOperationParams memory params) internal nonReentrant { ... ... if (currentDebtBalance == 0 && repaid.assets < params.amount) { - asset.safeTransfer(msg.sender, params.amount - repaid.assets); + if (asset == weth) { + weth.withdraw(params.amount - repaid.assets); + (bool ok,) = payable(dest).call{value: params.amount - repaid.assets}(''); + if (!ok) revert NFTErrorsLib.SendETHFailed(params.amount - repaid.assets); + } else { + asset.safeTransfer(msg.sender, params.amount - repaid.assets); + } } }
Big Admiral Dove
Low/Info
An ETH repayer will receive leftover assets as WETH instead of ETH.
Summary
An ETH repayer will receive leftover assets as WETH instead of ETH.
Vulnerability Detail
The
NFTPositionManagerSetters::_repay()function refunds the leftover ERC20 assets to the sender after repayment. (core/positions/NFTPositionManagerSetters.sol#L127-L129)For native ETH, as the ETHs provided to the
NFTPositionManager::repay()function are converted to WETH for repayment, the leftover asset is also WETH.By leftover refunding, the sender will receive WETHs instead of ETH.
Tool used
Manual Review
Recommendation
Modify the
NFTPositionManagerSetters::_repay()function like below: