Direct stETH Transfers: As noted in the comments, if an attacker directly transfers stETH to the contract, it could artificially inflate the share price.
Vulnerability Detail
/// @dev Lido has a limit on the amount of ETH that can be unstaked.
function requestWithdrawalAll() external override nonReentrant onlyRebalancer {
if (requestId != 0) revert WithdrawalPending();
/// INTERACT ///
@> (uint256 queuedEth, uint256 _requestId) = _requestWithdrawal(STETH.balanceOf(address(this)));
/// WRITE ///
withdrawalQueueEth = queuedEth.toUint128();
requestId = _requestId;
}
Impact
if an attacker directly transfers stETH to the contract, it could artificially inflate the share price.
bareli
medium
Direct stETH Transfers
Summary
Direct stETH Transfers: As noted in the comments, if an attacker directly transfers stETH to the contract, it could artificially inflate the share price.
Vulnerability Detail
/// @dev Lido has a limit on the amount of ETH that can be unstaked. function requestWithdrawalAll() external override nonReentrant onlyRebalancer { if (requestId != 0) revert WithdrawalPending(); /// INTERACT /// @> (uint256 queuedEth, uint256 _requestId) = _requestWithdrawal(STETH.balanceOf(address(this))); /// WRITE /// withdrawalQueueEth = queuedEth.toUint128(); requestId = _requestId; }
Impact
if an attacker directly transfers stETH to the contract, it could artificially inflate the share price.
Code Snippet
https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/adapters/lido/StEtherAdapter.sol#L86
Tool used
Manual Review
Recommendation
This could be mitigated by tracking the stETH balance independently or by validating the balance changes after certain operations.