toshiSat
commented
1 year ago 👍 leaving it as is
Open code423n4 opened 1 year ago
toshiSat
commented
1 year ago 👍 leaving it as is
c4-judge
commented
1 year ago Picodes marked the issue as satisfactory
Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed (no new vulnerabilities detected)" checked so I am doing this as a work around
Severity
Medium
Lines of code
https://github.com/asymmetryfinance/smart-contracts/pull/264/files#diff-badfabc2bc0d1b9ef5dbef737cd03dc2f570f6fd2074aea9514da9db2fff6e4eR322-R332
Impact
Proof of Concept
The root cause of M-05 has still not been addressed. Sponsor comment indicates they are fixing the issue that the stETH deposit limit is not accounted for. In the readme it states that this issues has been fixed by allowing derivatives to be disabled, however that doesn't address the issue at all. That's because approxPrice will exclude any derivatives that have been disabled.
Example: Assume stETH and reth are the only derivatives and they both contain 500 of their respective asset. Now stETH reaches their deposit cap. Using the presumed solution of disabling the stETH derivative, approxPrice will now return 0.5 instead of 1. This is extremely problematic as anyone who withdraws during this period will lose half their fund and those who deposit will get double back when it is reenabled.
Tools Used
Manual Review
Recommended Mitigation Steps
I disagree with the severity of the original submission and believe it should have been QA so my recommendation would be to leave it as it is. The deposit limit for these staking derivatives are extremely high and there is very little chance of it ever hitting this limit. Additionally this only temporarily DOS's the stake function for a short period of time and during that time the unstake function is still functional allowing users access to their funds.