Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240
When ETH cannot be directly deposited into the Rocket pool according to https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L120 the price will be calculated from the current state of the uniswap pool https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240.
If the balance of the RETH derivative is high enough to trigger the use of the uniswap oracle in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73. The preDepositPrice can be manipulated by skewing the uniswap pool resulting in a higher mintAmount in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L98.
preDepositPrice
Only RETH as derivative and balance is high enough to make ethPerDerivative use the Uniswap pool in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73
ethPerDerivative
Price of 1.1 ETH per RETH in the Uniswap pool and Rocket pool.
Underlying value of stake pool is 1100 ETH and total supply is 1100.
RETH derivative contains 1000 RETH.
Attacker flashloans bunch of RETH and swaps for ETH. Making the price in the Uniswap pool 1 ETH per RETH.
Because the price is determined via uniswap the underlyingvalue of the pool calculated in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 will be 1000. So the predeposit price will be ~0.909 ETH
The totalStakeValueEth in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92 will be 100 ETH because the price used their is coming from the RocketPool (not uniswap).
The mintAmount will be 110 ETH
Now the uniswap is skewed to its original ratio.
Underlying value of stake pool is 1200 ETH and total supply is 1210.
Now the attacker can withdraw ~109.09 ETH base on the 110 shares.
Notepad
Calculator
Use a TWAP from the Uniswap pool or possible chainlink if available.
Another problem is when the price calculated for the Rocket derivative in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 could be different w.r.t. https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92. In the first calculation it should use the price based on the deposit amount and not the balance of the pool.
0xSorryNotSorry marked the issue as duplicate of #601
Picodes marked the issue as duplicate of #1125
Picodes marked the issue as satisfactory
Picodes changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240
Vulnerability details
Impact
When ETH cannot be directly deposited into the Rocket pool according to https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L120 the price will be calculated from the current state of the uniswap pool https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240.
If the balance of the RETH derivative is high enough to trigger the use of the uniswap oracle in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73. The
preDepositPrice
can be manipulated by skewing the uniswap pool resulting in a higher mintAmount in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L98.Proof of Concept
pre-conditions:
Only RETH as derivative and balance is high enough to make
ethPerDerivative
use the Uniswap pool in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73Price of 1.1 ETH per RETH in the Uniswap pool and Rocket pool.
Underlying value of stake pool is 1100 ETH and total supply is 1100.
RETH derivative contains 1000 RETH.
Attack:
Attacker flashloans bunch of RETH and swaps for ETH. Making the price in the Uniswap pool 1 ETH per RETH.
Because the price is determined via uniswap the underlyingvalue of the pool calculated in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 will be 1000. So the predeposit price will be ~0.909 ETH
The totalStakeValueEth in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92 will be 100 ETH because the price used their is coming from the RocketPool (not uniswap).
The mintAmount will be 110 ETH
Now the uniswap is skewed to its original ratio.
Underlying value of stake pool is 1200 ETH and total supply is 1210.
Now the attacker can withdraw ~109.09 ETH base on the 110 shares.
Tools Used
Notepad
Calculator
Recommended Mitigation Steps
Use a TWAP from the Uniswap pool or possible chainlink if available.
Another problem is when the price calculated for the Rocket derivative in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 could be different w.r.t. https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92. In the first calculation it should use the price based on the deposit amount and not the balance of the pool.