Precise Pistachio Owl
Medium
contracts with complex fallback functions or no fallback functions at all may be unable to use repayETH() on behalf of others.
This happens because the refunded ETH is sent back to the msg.sender which can be a contract with no fallback function or one with a complex fallback.
In the case of no fallback, the whole call reverts.
In the case of complex fallback, call can be reverted due to it being out of gas.
https://github.com/sherlock-audit/2025-01-aave-v3-3/blob/main/aave-v3-origin/src/contracts/helpers/WrappedTokenGatewayV3.sol#L75-L94
function repayETH(address, uint256 amount, address onBehalfOf) external payable override {
uint256 paybackAmount = IERC20_3(POOL.getReserveVariableDebtToken(address(WETH))).balanceOf(
onBehalfOf
);
if (amount < paybackAmount) {
paybackAmount = amount;
}
require(msg.value >= paybackAmount, 'msg.value is less than repayment amount');
WETH.deposit{value: paybackAmount}();
POOL.repay(
address(WETH),
paybackAmount,
uint256(DataTypes.InterestRateMode.VARIABLE),
onBehalfOf
);
// refund remaining dust eth
if (msg.value > paybackAmount) _safeTransferETH(msg.sender, msg.value - paybackAmount);
}No response
- repaying contract has no fallback function or has complex fallback function.
- gas prices are higher than usual.
No response
This makes the repayETH() function unuseable for a subset of aave users in this scenario.
No response
allow callers of the repayETH() function to specify the destination address for their refunds.