The price of ezETH is susceptible to manipulation, which can result in user losses or prevent deposits to L2.
Proof of Concept
The calculation formula for the price of ezETH is totalTVL / totalSupply. If the totalTVL increases, it will cause the price of ezETH to rise. Attackers can initiate donation attacks on the WithdrawQueue, causing totalTVL to increase while totalSupply remains unchanged, resulting in a rapid increase in the price of ezETH.
For the L2 deposit contract xRenzoDeposit, if the price fluctuates by more than 10%, it is considered invalid. Therefore, users can control the price of ezETH through donation attacks and make a profit of 10% or prevent L2 from accepting normal deposits.
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RateProvider/BalancerRateProvider.sol#L28-L41
Vulnerability details
Impact
The price of ezETH is susceptible to manipulation, which can result in user losses or prevent deposits to L2.
Proof of Concept
The calculation formula for the price of ezETH is
totalTVL / totalSupply
. If the totalTVL increases, it will cause the price of ezETH to rise. Attackers can initiate donation attacks on the WithdrawQueue, causing totalTVL to increase while totalSupply remains unchanged, resulting in a rapid increase in the price of ezETH.For the L2 deposit contract
xRenzoDeposit
, if the price fluctuates by more than 10%, it is considered invalid. Therefore, users can control the price of ezETH through donation attacks and make a profit of 10% or prevent L2 from accepting normal deposits.https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RateProvider/BalancerRateProvider.sol#L28-L41
Tools Used
Manual Review
Recommended Mitigation Steps
There isn't a great solution to this problem, but when there's a significant price change, perhaps we could try using 110% of the previous price.
Assessed type
Oracle