//
VaultRouter cannot be used for deposits when it reaches the maximum deposit limit
0xlemon profile image0xlemon
Medium

Summary

VaultRouter cannot be used for deposits when it reaches the maximum deposit limit because this contract is the msg.sender to the vault and it is treated as a depositor who has a limit.

Vulnerability Details

When doing deposits to a vault from the VaultRouter the router does an external call to the vault meaning that in Vault's case msg.sender will be the router itself. The protocol however enforces a max deposit limit for depositors. This means that after the VaultRouter reaches the vault's getMaxDeposit() no one will be able to deposit to the vault using the router.

Since the vault looks at balanceOf(msg.sender) for the deposit limit, an attacker can use the router to deposit to the vault specifying the recipient to be the router itself and then immediately withdrawing in the same transaction so that his tokens won't be stolen. He can do that to reach VaultRouter deposit limit and now no one will be able to deposit through the router.

function _depositInternal(uint256 assets, address receiver) private returns (uint256 shares) { //... // Check if deposit exceeds the maximum allowed per wallet uint256 maxDepositLocal = getMaxDeposit(); if (maxDepositLocal > 0) { @-> uint256 depositInAssets = (balanceOf(msg.sender) * _ONE) / tokenPerAsset(); uint256 newBalance = assets + depositInAssets; if (newBalance > maxDepositLocal) revert MaxDepositReached(); } //... }

Impact

DoS of the router's deposit functionality

Recommended mitigation steps

You can try to enforce the same deposit limit on the router level and give the router unlimited deposit limit