search

code-423n4 / 2023-09-reserve-mitigation-findings

0 stars 0 forks source link

H-01 MitigationConfirmed #3

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

In the previous implementation, cbETH, rETH, ankrETH Use ETH as ref But it should actually be ETH2, and token.exchangeRate() is for ETH2 and the corresponding pegPricei s inaccurate

Mitigation

PR 899 Adjusted to EHT2 and introduced targetPerTokChainlinkFeed instead of _underlyingRefPerTok for price calculation the mitigation resolved the original issue.

obscure

Reth Is to provide reth.burn() get eth from reth via getExchangeRate() without loss. https://etherscan.io/token/0xae78736cd615f374d3085123a210448e74fc6393#code

    // Burn rETH for ETH
    function burn(uint256 _rethAmount) override external {
        // Check rETH amount
        require(_rethAmount > 0, "Invalid token burn amount");
        require(balanceOf(msg.sender) >= _rethAmount, "Insufficient rETH balance");
        // Get ETH amount
@>      uint256 ethAmount = getEthValue(_rethAmount);
        // Get & check ETH balance
        uint256 ethBalance = getTotalCollateral();
        require(ethBalance >= ethAmount, "Insufficient ETH balance for exchange");
        // Update balance & supply
        _burn(msg.sender, _rethAmount);
        // Withdraw ETH from deposit pool if required
        withdrawDepositCollateral(ethAmount);
        // Transfer ETH to sender
@>      msg.sender.transfer(ethAmount);
        // Emit tokens burned event
        emit TokensBurned(msg.sender, _rethAmount, ethAmount, block.timestamp);
    }

So it makes sense for reth to use eth as a ref. It's a slightly different situation than cbETH, ankrETH.

c4-judge commented 1 year ago

thereksfour marked the issue as satisfactory