search

code-423n4 / 2024-04-renzo-validation

2 stars 2 forks source link

Hamrful arbitrage due to Chainlink oracle price discrepancy possible #480

Closed c4-bot-3 closed 2 months ago

c4-bot-3 commented 2 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L92

Vulnerability details

Impact

Renzo uses chainlink price oracles to get TVL prices.

This oracles have parameters that can lead to account pricing deviate from market pricing, leading to harmful arbitrage opportunity and loss of funds to users.

Proof of Concept

Please see https://github.com/code-423n4/2023-11-kelp-findings/issues/584 with identical problem.

While Renzo has non uqual to zero 'coolDownPeriod' for withdrawal, the window can be sufficiently high to cause harm.

Tools Used

Manual review

Recommended Mitigation Steps

Implement higher minimal 'coolDownPeriod'

Assessed type

Oracle

0xJuancito commented 2 months ago

Proof of concept does not pass the burden of proof test. Low effort

https://docs.code4rena.com/awarding/incentive-model-and-awards#satisfactory-unsatisfactory-submissions

0xJuancito commented 2 months ago

@howlbot reject