search

code-423n4 / 2024-06-renzo-mitigation-findings

0 stars 0 forks source link

H-04 MitigationConfirmed #58

Open c4-bot-10 opened 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

H-04: https://github.com/code-423n4/2024-04-renzo-findings/issues/326

Issue Details

Issue of this vuln come from withdraw mechanism. When withdrawal amount is calculated at withdrawal request submission time instead of at withdrawal claim time:

function withdraw(uint256 _amount, address _assetOut) external nonReentrant {
  .   .   .   .   .   .
    uint256 amountToRedeem = renzoOracle.calculateRedeemAmount( // <--
        _amount,
        ezETH.totalSupply(),
        totalTVL
    );
  .   .   .   .   .   .
}

Along with there is no fee in deposit and withdraw, which can lead to arbitrage risk.

Mitigation

Solution to mitigate is good enough to fix the issue. This design is also used in other protocols.

Conclusion

Mitigation confirmed.

c4-judge commented 3 months ago

alcueca marked the issue as satisfactory