Open c4-bot-1 opened 2 months ago
Expected Behaviour.
CloudEllie marked the issue as primary issue
alcueca marked issue #8 as primary and marked this issue as a duplicate of 8
alcueca marked the issue as not a duplicate
It is debatable whether the market or exchange rate is the real price. The market price is the price for an instant trade, while the exchange rate is the price for a trade in the terms of the stETH contract. Renzo is not even using a real market price, which would be retrieved from a DEX. Whatever the choice of oracle, there will be some arbitrage opportunities.
alcueca marked the issue as unsatisfactory: Invalid
From the PJQA:
I'd like to point that for https://github.com/code-423n4/2024-04-renzo-findings/issues/13 the arbitrage can be avoided, by underpricing stETH on deposit (market value), and over pricing it (redemption value) on withdrawal.
Pricing in any other way, due to lack of fees will create arbitrage, while pricing in the way above will protect against it
There is a factually better way to price stETH which is to use it's redemption value, and to be on the safer side, use it's market value on deposit and the redemption value on withdrawal
The in scope configuration is objectively leaking value to arbitrage when compare to the suggest mitigation
I do actually know of other protocols working on similar topics that have recognized this as a problem and taken significant steps to avoid it.
alcueca marked the issue as satisfactory
alcueca marked the issue as primary issue
alcueca marked the issue as selected for report
Mitigation from sponsor on #424, along with explanation on why both groups should be merged. Namely, that using the market rate for stETH/ETH is what enables arbitraging between different collaterals, and that the fix from this finding will also fix the duplicates.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L70-L81
Vulnerability details
Impact
The stETH/ETH oracle is not a exchange rate feed, it's a Market Rate Feed
While other feeds are exchange rate feeds
This opens up ezETH to be vulnerable to:
POC
This opens up to arbitrage anytime stETH trades at a discount (see Liquidations on the 13th of April)
Had withdrawals been open, the following could have been possible:
As well as:
Mitigation
I believe the withdrawal logic needs to be rethought to be denominated in ETH
The suggested architecture would look like the following:
Assessed type
Oracle