Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed (no new vulnerabilities detected)" checked so I am doing this as a work around
The new ethPerDerivitive function in sfrxEth.sol will revert if the oracle price returns outside of 0.1% of the 1:1 peg. This can be extremely problematic given how integrated this function is.
If the price of the derivative ever settles outside of the peg the funds in the contract will be permanently stuck. FRX_ETH_CRV_POOL_ADDRESS is a constant that can't be updated and ethPerDerivative is called inside the withdraw function. Coupled with the fact that sfrxETH has no emergency recovery function. The funds will be stuck forever in that case.
Minor and consistent depegs (similar to how LUSD is typically valued at $1.01) can happen for any number of reasons. The major issue is that if that happens all fund will be completely unrecoverable.
Tools Used
Manual Review
Recommended Mitigation Steps
The curve oraclePrice is already an EMA and not the current price of the pool so it is safe to use it as an oracle price. If unwilling to do this then there should at least be an emergency eject function to save the funds.
Note: Issue has not actually been resolved but for some reason I can't get my issues to submit without "Mitigation confirmed (no new vulnerabilities detected)" checked so I am doing this as a work around
Severity
High
Lines of code
https://github.com/asymmetryfinance/smart-contracts/pull/262/files#diff-e500be4c081e76873145b6e38a37c2d59d6d57bd96cc581c3099582be79ba505R125-R137
Impact
Derivative will become broken and all funds lost even if there is a slight depeg
Proof of Concept
The new ethPerDerivitive function in sfrxEth.sol will revert if the oracle price returns outside of 0.1% of the 1:1 peg. This can be extremely problematic given how integrated this function is.
If the price of the derivative ever settles outside of the peg the funds in the contract will be permanently stuck. FRX_ETH_CRV_POOL_ADDRESS is a constant that can't be updated and ethPerDerivative is called inside the withdraw function. Coupled with the fact that sfrxETH has no emergency recovery function. The funds will be stuck forever in that case.
Minor and consistent depegs (similar to how LUSD is typically valued at $1.01) can happen for any number of reasons. The major issue is that if that happens all fund will be completely unrecoverable.
Tools Used
Manual Review
Recommended Mitigation Steps
The curve oraclePrice is already an EMA and not the current price of the pool so it is safe to use it as an oracle price. If unwilling to do this then there should at least be an emergency eject function to save the funds.