KingNFT - Liqudity providers effectively lost their Rocket pool staking rewards while integrating with the protocol

[sherlock-admin2]

KingNFT

high

Liqudity providers effectively lost their Rocket pool staking rewards while integrating with the protocol

Summary

If we treat betting on price of crypto assets such as BTC/ETH as a 50:50 win game, then betting on price of interest bearing asset such as stETH/rETH is more likely a 55:45 game. As the long side has an inherent advantage, which would cause liqudity providers of Flatcoin effectively lost their Rocket pool staking rewards while integrating with the protocol.

Vulnerability Detail

Let's say the initial states are

initRatio = 1.1 ETH/rETH
initPriceOfETH = $2000
initPriceOfrETH = $2200
Alice.LongPostitionsSize = 1rETH
Alice.EntryPrice = $2200

Some time later, the ratio increases to 1.2 due to Rocket pool's staking reward, and the ETH price keeps same, then we get

ratio = 1.2ETH/rETH
newPriceOfETH = $2000
newPriceOfrETH = $2400
Alice.PnL = 1rETH * (newPriceOfrETH - initPriceOfrETH) / newPriceOfrETH = 1 * (2400 - 2200) / 2400 = 0.083rETH
Alice.PnLInUSD = 0.083rETH * $2400 = $200

We can see the long side Alice happens to win the $200 Rocket pool's staking reward while ETH price keeps steady. And Liqudity providers of Flatcoin is the losing side. They are effectively losing their Rocket pool staking rewards while betting with traders on rETH's price.

Impact

Liqudity providers effectively lost their Rocket pool staking rewards.

Code Snippet

https://github.com/sherlock-audit/2023-12-flatmoney/blob/bba4f077a64f43fbd565f8983388d0e985cb85db/flatcoin-v1/src/StableModule.sol#L61

Tool used

Manual Review

Recommendation

Not 100% sure if replacing with ETH oracle price can work with rETH as collateral, but looks like it's an option.

[nevillehuang]

Request PoC

[sherlock-admin2]

PoC requested from @ydspa

Requests remaining: 12

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid

[ydspa]

Escalate

I think the origin report has clearly illustrated the Vulnerability concept. And as a circumstantial evidence, let's also think about why there are none of any existing CEX/DEX list Perpetual market for interest bearing assets such as rETH/cbETH/wstETH.

[sherlock-admin2]

Escalate

I think the origin report has clearly illustrated the Vulnerability concept. And as a circumstantial evidence, let's also think about why there are none of any existing CEX/DEX list Perpetual market for interest bearing assets such as rETH/cbETH/wstETH.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[Czar102]

This is what LPs sign up for. They aren't forced to do this, and they can hedge this risk in and outside of the protocol, right?

Independently, I'd like @D-Ig @itsermin @rashtrakoff to have a look at this issue.

[nevillehuang]

@Czar102 This seems out of scope of the contest.

There are fees earned by LP for providing liquidity for borrowing. I think I need a better PNL analysis of this issue to decide.

[Czar102]

Indeed, this is out of scope. An investment may be "bad", but it works as expected.

Independently, I'm wondering if the funding rate doesn't counter this by any chance?

[Czar102]

Result: Low Unique

The escalator didn't make their point clear, and I see no basis to validate this issue. The system works as intended, and having a financial product bring statistical losses because of the design is not a valid issue.

[sherlock-admin2]

Escalations have been resolved successfully!

Escalation status:

• ydspa: rejected

[rashtrakoff]

The yield accrued by LSTs is not lost. There is much more nuance to how LST collateral behaves when compared to let's say ETH. Let's analyse this:

rETH/ETH exchange rate is crucial here. Let's say it's 1.10 ETH per rETH. This exchange rate continuously increases under ideal conditions. So when ETH price goes up by let's say 5%, rETH price actually goes up by more than this (5.5%). This in turn means the funding rates turn more to the favour of the LPs.

So is the rETH staking yield being accrued to the LPs or the leverage traders? This is difficult to ascertain. On one hand ETH price increase corresponds to profit to the leverage traders and this is amplified due to rETH/ETH exchange rate. At the same time LPs are being paid funding (assuming market is long skewed) much more than they would have had in case ETH was the collateral. Only time will tell if using rETH was a good idea or not.