Summary
VaultRouter
cannot be used for deposits when it reaches the maximum deposit limit because this contract is the msg.sender
to the vault and it is treated as a depositor who has a limit.
Vulnerability Details
When doing deposits to a vault from the VaultRouter
the router does an external call to the vault meaning that in Vault's case msg.sender
will be the router itself. The protocol however enforces a max deposit limit for depositors. This means that after the VaultRouter
reaches the vault's getMaxDeposit()
no one will be able to deposit to the vault using the router.
Since the vault looks at balanceOf(msg.sender)
for the deposit limit, an attacker can use the router to deposit to the vault specifying the recipient to be the router itself and then immediately withdrawing in the same transaction so that his tokens won't be stolen. He can do that to reach VaultRouter
deposit limit and now no one will be able to deposit through the router.
function _depositInternal(uint256 assets, address receiver) private returns (uint256 shares) { //... // Check if deposit exceeds the maximum allowed per wallet uint256 maxDepositLocal = getMaxDeposit(); if (maxDepositLocal > 0) { @-> uint256 depositInAssets = (balanceOf(msg.sender) * _ONE) / tokenPerAsset(); uint256 newBalance = assets + depositInAssets; if (newBalance > maxDepositLocal) revert MaxDepositReached(); } //... }
Impact
DoS of the router's deposit functionality
Recommended mitigation steps
You can try to enforce the same deposit limit on the router level and give the router unlimited deposit limit