search

code-423n4 / 2024-04-renzo-findings

12 stars 8 forks source link

No slippage control in deposit function #330

Closed howlbot-integration[bot] closed 6 months ago

howlbot-integration[bot] commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L491-#L576

Vulnerability details

Background

The deposit function in Restake Manager contract enables a user to deposit collateral token in exchange of ezETH. The returned minted amount of ezETH depends on the retrieved current value of exchanged collateral token through lookupTokenValue. The collateral tokens are LSTs or native ETH.

/File: RestakeManager.sol
506:         // Get the value of the collateral token being deposited
507:         uint256 collateralTokenValue = renzoOracle.lookupTokenValue(_collateralToken, _amount);
508: 
File: RenzoOracle.sol
71:     function lookupTokenValue(IERC20 _token, uint256 _balance) public view returns (uint256) {
72:         AggregatorV3Interface oracle = tokenOracleLookup[_token];
73:         if (address(oracle) == address(0x0)) revert OracleNotFound();
74: 
75:         (, int256 price, , uint256 timestamp, ) = oracle.latestRoundData();
76:         if (timestamp < block.timestamp - MAX_TIME_WINDOW) revert OraclePriceExpired();
77:         if (price <= 0) revert InvalidOraclePrice();
78: 
79:         // Price is times 10**18 ensure value amount is scaled
80:         return (uint256(price) * _balance) / SCALE_FACTOR;
81:     }

Issue

There is potential volatility on collateral LST tokens being exchanged for ezETH. These collateral token price may drop against the ETH. The protocol did not put any slippage protection in regards of this situation. User may be put into a disadvantage position and received unfavorable number of minted ezETH.

Impact

Can lead to unfavorable ezETH minting rates and potential economic losses to users

Proof of Concept

This could be the scenario

  1. User A deposits an LST token with the price of 3,100 usd.
  2. Suddenly this LST token drops to 2,900 usd. This could be cause of penalties imposed due to malicious behavior or network downtime.
  3. The protocol pick-up the 2,900 usd price in minting ezETH token.
  4. User A receives of lower number of ezETH since the collateral drop its price.

Tools Used

Manual Review

Recommended Mitigation Steps

Put a parameter input in deposit function in which a user can decide the minimum output it can receive from minting so user can control the slippage.

Assessed type

Other

c4-judge commented 5 months ago

alcueca marked the issue as satisfactory