Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L71-L81

Vulnerability details

Impact

Chainlink price's update will cause the whole tvl's change. The whole tvl value's change will cause share price's change.

Proof of Concept

Depositors will earn profit when the share price increases. When chainlink updates the related feeds, the whole tvl will change because collateral token's price changes. Let's take stETH/ETH as one example. stETH/ETH feed's deviation threshold is 0.5%. It means tvl's value can increase 0.5% in one block in some extreme condition. This will be one possible arbitrage chance.

Possible arbitrage attack vector:

Alice deposits collateral tokens into renzo by frontrun.
Chainlink update stETH/ETH feed. For example, the feed's price increase 0.5% compared with last update. Now the whole tvl will increase because of stETH/ETH price increase. For example, the whole tvl increase 0.2%.
Alice withdraw her shares with the increased price.

    function lookupTokenValue(IERC20 _token, uint256 _balance) public view returns (uint256) {
        AggregatorV3Interface oracle = tokenOracleLookup[_token];
        if (address(oracle) == address(0x0)) revert OracleNotFound();

        (, int256 price, , uint256 timestamp, ) = oracle.latestRoundData();
        if (timestamp < block.timestamp - MAX_TIME_WINDOW) revert OraclePriceExpired();
        if (price <= 0) revert InvalidOraclePrice();

        // Price is times 10**18 ensure value amount is scaled
        return (uint256(price) * _balance) / SCALE_FACTOR;
    }

Tools Used

Manual

Recommended Mitigation Steps

Consider to lock a period for the deposit to avoid the arbitrage.

Assessed type

Timing

code-423n4 / 2024-04-renzo-validation

Potential arbitrage chance because chainlink's price's update #297