Closed c4-bot-3 closed 2 months ago
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L92
Renzo uses chainlink price oracles to get TVL prices.
This oracles have parameters that can lead to account pricing deviate from market pricing, leading to harmful arbitrage opportunity and loss of funds to users.
Please see https://github.com/code-423n4/2023-11-kelp-findings/issues/584 with identical problem.
While Renzo has non uqual to zero 'coolDownPeriod' for withdrawal, the window can be sufficiently high to cause harm.
Manual review
Implement higher minimal 'coolDownPeriod'
Oracle
Proof of concept does not pass the burden of proof test. Low effort
https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions
@howlbot reject
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L92
Vulnerability details
Impact
Renzo uses chainlink price oracles to get TVL prices.
This oracles have parameters that can lead to account pricing deviate from market pricing, leading to harmful arbitrage opportunity and loss of funds to users.
Proof of Concept
Please see https://github.com/code-423n4/2023-11-kelp-findings/issues/584 with identical problem.
While Renzo has non uqual to zero 'coolDownPeriod' for withdrawal, the window can be sufficiently high to cause harm.
Tools Used
Manual review
Recommended Mitigation Steps
Implement higher minimal 'coolDownPeriod'
Assessed type
Oracle