search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

Arbitrage risk due to price discrepancies between L1 and L2 #1001

Closed c4-bot-1 closed 4 months ago

c4-bot-1 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Bridge/L2/xRenzoDeposit.sol#L244-L253

Vulnerability details

Impact

The xRenzoDeposit contract on L2 allows users to exchange ETH for xezETH tokens at a price that is streamed from the L1 chain. However, this price feed may not always be in sync with the actual current price of ezETH on L1, leading to potential arbitrage opportunities.

Proof of Concept

If the ezETH price on L1 increases, an attacker can exploit the outdated price on L2 by following these steps:

  1. Bridge ETH to L2.
  2. Deposit the ETH in the xRenzoDeposit contract to mint xezETH at the old, lower price.
  3. Bridge the xezETH back to L1.
  4. Redeem the xezETH for ezETH, and ezETH for ETH at the higher, current price on L1.

Tools Used

Manual review

Recommended Mitigation Steps

While the cooldown period on withdrawals already removes the risk of immediate cascading arbitrage, the following steps may further mitigate the issue:

  1. The safest mitigation would be to disallow instant minting of xezETH on L2. Instead, send the collateral to L1, have the bridge reply with the actual mint rate at which ezETH was minted and mint xezETH at the same rate.
  2. Ensure that the price feed from L1 to L2 is updated frequently enough to minimize the potential for price discrepancies.

Assessed type

MEV

DadeKuma commented 4 months ago

@howlbot accept