search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

Users can control the price of ezETH through donation attack #431

Closed c4-bot-4 closed 5 months ago

c4-bot-4 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RateProvider/BalancerRateProvider.sol#L28-L41

Vulnerability details

Impact

The price of ezETH is susceptible to manipulation, which can result in user losses or prevent deposits to L2.

Proof of Concept

The calculation formula for the price of ezETH is totalTVL / totalSupply. If the totalTVL increases, it will cause the price of ezETH to rise. Attackers can initiate donation attacks on the WithdrawQueue, causing totalTVL to increase while totalSupply remains unchanged, resulting in a rapid increase in the price of ezETH.

For the L2 deposit contract xRenzoDeposit, if the price fluctuates by more than 10%, it is considered invalid. Therefore, users can control the price of ezETH through donation attacks and make a profit of 10% or prevent L2 from accepting normal deposits.

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RateProvider/BalancerRateProvider.sol#L28-L41

Tools Used

Manual Review

Recommended Mitigation Steps

There isn't a great solution to this problem, but when there's a significant price change, perhaps we could try using 110% of the previous price.

Assessed type

Oracle

0xJuancito commented 5 months ago

See #654

0xJuancito commented 5 months ago

@howlbot reject