Open c4-bot-10 opened 3 months ago
H-04: https://github.com/code-423n4/2024-04-renzo-findings/issues/326
Issue of this vuln come from withdraw mechanism. When withdrawal amount is calculated at withdrawal request submission time instead of at withdrawal claim time:
function withdraw(uint256 _amount, address _assetOut) external nonReentrant { . . . . . . uint256 amountToRedeem = renzoOracle.calculateRedeemAmount( // <-- _amount, ezETH.totalSupply(), totalTVL ); . . . . . . }
Along with there is no fee in deposit and withdraw, which can lead to arbitrage risk.
Solution to mitigate is good enough to fix the issue. This design is also used in other protocols.
Mitigation confirmed.
alcueca marked the issue as satisfactory
Lines of code
Vulnerability details
C4 Issue
H-04: https://github.com/code-423n4/2024-04-renzo-findings/issues/326
Issue Details
Issue of this vuln come from withdraw mechanism. When withdrawal amount is calculated at withdrawal request submission time instead of at withdrawal claim time:
Along with there is no fee in deposit and withdraw, which can lead to arbitrage risk.
Mitigation
Solution to mitigate is good enough to fix the issue. This design is also used in other protocols.
Conclusion
Mitigation confirmed.