c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as duplicate of #601
Closed code423n4 closed 1 year ago
c4-pre-sort
commented
1 year ago 0xSorryNotSorry marked the issue as duplicate of #601
c4-judge
commented
1 year ago Picodes marked the issue as duplicate of #1125
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
c4-judge
commented
1 year ago Picodes changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240
Vulnerability details
Impact
When ETH cannot be directly deposited into the Rocket pool according to https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L120 the price will be calculated from the current state of the uniswap pool https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L240.
If the balance of the RETH derivative is high enough to trigger the use of the uniswap oracle in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73. The
preDepositPricecan be manipulated by skewing the uniswap pool resulting in a higher mintAmount in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L98.Proof of Concept
pre-conditions:
Only RETH as derivative and balance is high enough to make
ethPerDerivativeuse the Uniswap pool in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73Price of 1.1 ETH per RETH in the Uniswap pool and Rocket pool.
Underlying value of stake pool is 1100 ETH and total supply is 1100.
RETH derivative contains 1000 RETH.
Attack:
Attacker flashloans bunch of RETH and swaps for ETH. Making the price in the Uniswap pool 1 ETH per RETH.
Because the price is determined via uniswap the underlyingvalue of the pool calculated in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 will be 1000. So the predeposit price will be ~0.909 ETH
The totalStakeValueEth in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92 will be 100 ETH because the price used their is coming from the RocketPool (not uniswap).
The mintAmount will be 110 ETH
Now the uniswap is skewed to its original ratio.
Underlying value of stake pool is 1200 ETH and total supply is 1210.
Now the attacker can withdraw ~109.09 ETH base on the 110 shares.
Tools Used
Notepad
Calculator
Recommended Mitigation Steps
Use a TWAP from the Uniswap pool or possible chainlink if available.
Another problem is when the price calculated for the Rocket derivative in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L73 could be different w.r.t. https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92. In the first calculation it should use the price based on the deposit amount and not the balance of the pool.