The xRenzoDeposit contract on L2 allows users to exchange ETH for xezETH tokens at a price that is streamed from the L1 chain. However, this price feed may not always be in sync with the actual current price of ezETH on L1, leading to potential arbitrage opportunities.
Proof of Concept
If the ezETH price on L1 increases, an attacker can exploit the outdated price on L2 by following these steps:
Bridge ETH to L2.
Deposit the ETH in the xRenzoDeposit contract to mint xezETH at the old, lower price.
Bridge the xezETH back to L1.
Redeem the xezETH for ezETH, and ezETH for ETH at the higher, current price on L1.
Tools Used
Manual review
Recommended Mitigation Steps
While the cooldown period on withdrawals already removes the risk of immediate cascading arbitrage, the following steps may further mitigate the issue:
The safest mitigation would be to disallow instant minting of xezETH on L2. Instead, send the collateral to L1, have the bridge reply with the actual mint rate at which ezETH was minted and mint xezETH at the same rate.
Ensure that the price feed from L1 to L2 is updated frequently enough to minimize the potential for price discrepancies.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Bridge/L2/xRenzoDeposit.sol#L244-L253
Vulnerability details
Impact
The
xRenzoDeposit
contract on L2 allows users to exchange ETH forxezETH
tokens at a price that is streamed from the L1 chain. However, this price feed may not always be in sync with the actual current price ofezETH
on L1, leading to potential arbitrage opportunities.Proof of Concept
If the
ezETH
price on L1 increases, an attacker can exploit the outdated price on L2 by following these steps:xRenzoDeposit
contract to mintxezETH
at the old, lower price.xezETH
back to L1.xezETH
forezETH
, andezETH
for ETH at the higher, current price on L1.Tools Used
Manual review
Recommended Mitigation Steps
While the cooldown period on withdrawals already removes the risk of immediate cascading arbitrage, the following steps may further mitigate the issue:
Assessed type
MEV