V5 Vault: Medium Risk Disclosure

tldr; Funds are safe!

Medium Risk Issue

Earlier this week we received a bounty submission for an issue with the V5 Vault.

WETH doesn’t have a “permit” function. Permit allows users to sign an approval off-chain, then submit the signature so that a deposit can be done in one transaction.

The vault function permitAndDeposit is the function that facilitates the approve + deposit in one transaction. For WETH, however, the permit silently fails. This means that anyone can deposit on someone’s behalf if that user has done an infinite approval.

While funds cannot be stolen, it would be annoying to have someone deposit your WETH for you. It’s a griefing attack.

Fortunately, only four accounts have done an infinite approval, and one of them is me!

Mitigation Steps

Short Term

The immediate step we took was to update the Cabana app so that approvals to the WETH vault are only for the deposit amount. This means that no one can have “deposits against their will” if they’ve used the Cabana app.

You can revoke your approval by depositing a non-zero amount through the app (or use other means). Only four accounts have infinite approval, and should revoke the approval:

  • 0xa38445311cCd04a54183CDd347E793F4D548Df3F
  • 0x714b831eB02FE854283219B2B9f1c6951f46Dcb9
  • 0x6ab223Aa761e64FCa5e384098f0c91C50c6eC494
  • 0xe9611e603F1678498131f617ffeB7827353D3657

Long Term

We have a fix for the vault queued in our backlog. We will apply the fix soon, so that we don’t have to worry about this in the future.

On-going Bounty Program

This issue was medium risk (griefing) according to the ImmuneFi Vulnerability Classification. We paid the whitehat out from the budget that was allocated for the upcoming ImmuneFi program.


Thanks for the heads up, Brendan.

Does this require any re-deployment of parts of the protocol or the WETH vault itself?

We will deploy a new vault factory so that future WETH vaults don’t have this issue