search

hats-finance / ether-fi-0x36c3b77853dec9c4a237a692623293223d4b9bc4

Smart Contracts for Ether Fi dapp
1 stars 1 forks source link

Calculation of TVL in Early Adopter Pool contract is inaccurate #15

Open hats-bug-reporter[bot] opened 11 months ago

hats-bug-reporter[bot] commented 11 months ago

Github username: -- Submission hash (on-chain): 0xedbf2333fae3446e2e19f2fd3d0492058e48f639b4685c16400e2d25fd5322cd Severity: low

Description: Description\

The Early Adopter Pool calculates TVL by aggregating all the LSD , including native token through getContractTVL(). This is quite inaccurate because each LSD is not of equal value to each other. Some are rebasing tokens and some are non-rebasing, which means that the value of some LSD will grow.

For example, 1 rETH is about 1.09 ETH, so if a user has 1 rETH and 1 ETH in the pool, he actually has 2.09 ETH in value in the pool, and not 2 ETH as per the protocol calculations.

Attachments

The contract simply aggregates all the balances into one TVL, which is pretty inaccurate. 

EarlyAdopterPool.sol
    function getContractTVL() public view returns (uint256 tvl) {
        tvl = (rETHInstance.balanceOf(address(this)) +
            wstETHInstance.balanceOf(address(this)) +
            sfrxETHInstance.balanceOf(address(this)) +
            cbETHInstance.balanceOf(address(this)) +
            address(this).balance);
    }

    function getUserTVL(address _user)
        public
        view
        returns (
            uint256 rETHBal,
            uint256 wstETHBal,
            uint256 sfrxETHBal,
            uint256 cbETHBal,
            uint256 ethBal,
            uint256 totalBal
        )
    {
        rETHBal = userToErc20Balance[_user][rETH];
        wstETHBal = userToErc20Balance[_user][wstETH];
        sfrxETHBal = userToErc20Balance[_user][sfrxETH];
        cbETHBal = userToErc20Balance[_user][cbETH];
        ethBal = depositInfo[_user].etherBalance;
        totalBal = (rETHBal + wstETHBal + sfrxETHBal + cbETHBal + ethBal);
    }

https://github.com/hats-finance/ether-fi-0x36c3b77853dec9c4a237a692623293223d4b9bc4/blob/180c708dc7cb3214d68ea9726f1999f67c3551c9/src/EarlyAdopterPool.sol#L282

Recommendation

Recommend using an oracle to count the ETH Value of each derivative before aggregating them.

seongyun-ko commented 11 months ago

correct. we were aware of it, but it is out of scope and not a risk for protocol fund