Malicious Rebalancer can prevent Principal Token and Yield Token holders from redeeming their underlying rewards
Summary
Due to the current implementation of the BaseLSTAdapter, SFrxETHAdapter and StEtherAdapter a malicious Rebalancer can prevent PT and YT holders from redeeming their underlying rewards
Vulnerability Detail
When a new Tranche is being deployed, an Adapter contract address is being passed to it. Since the TrancheFactory::deployTranche function can only be called by the protocol owner and since there will be a single Tranche per Adapter (which has been verified in the Discord channel of the contest), it can be derived that the Adapter will also be deployed by the protocol owner.
When a new liquid staking Adapter is deployed, the Rebalancer address is passed in to it as a constructor argument and its owner is set to its deployer - the protocol owner in our case. After it is deployed the protocol owner is able to change the Rebalancer to any arbitrary address through the setRebalancer function. The Rebalancer itself is responsible for setting the target buffer ETH percentage value of the contract and for calling the requestWithdrawal and requestWithdrawalAll functions. And this is where the problem originates from. Since the protocol owner is restricted, in the case where something happens (for example it's private key gets compromised) and it starts to misbehave, it can simply set itself or any other arbitrary address as a Rebalancer for a given Adapter of a given Tranche and then, by simply not calling the requestWithdrawal and requestWithdrawalAll it will prevent most users who hold PT or YT tokens from claiming their underlying token rewards. This is because, in order for users to claim their underlying rewards from a given liquid staking adapter, a buffer amount that is >= to the underlying amount being attempted to be claimed has to be available.
Theoretically, the buffer can also be filled by external users depositing directly into a given Adapter, but this is highly unlikely as there is no financial incentive to do so. And even if this was to happen, the Rebalancer can still set the target buffer percentage to as low as 1%, which will still make redemption of large underlying amounts close to impossible.
Impact
PT and YT holders might not be able to claim their underlying rewards, potentially forever
Allow the requestWithdrawal and requestWithdrawalAll functions of the liquid staking adapters to be called by anyone after the Tranches that use them reach maturity
Arabadzhiev
medium
Malicious Rebalancer can prevent Principal Token and Yield Token holders from redeeming their underlying rewards
Summary
Due to the current implementation of the
BaseLSTAdapter
,SFrxETHAdapter
andStEtherAdapter
a malicious Rebalancer can prevent PT and YT holders from redeeming their underlying rewardsVulnerability Detail
When a new Tranche is being deployed, an Adapter contract address is being passed to it. Since the
TrancheFactory::deployTranche
function can only be called by the protocol owner and since there will be a single Tranche per Adapter (which has been verified in the Discord channel of the contest), it can be derived that the Adapter will also be deployed by the protocol owner.When a new liquid staking Adapter is deployed, the Rebalancer address is passed in to it as a constructor argument and its owner is set to its deployer - the protocol owner in our case. After it is deployed the protocol owner is able to change the Rebalancer to any arbitrary address through the
setRebalancer
function. The Rebalancer itself is responsible for setting the target buffer ETH percentage value of the contract and for calling therequestWithdrawal
andrequestWithdrawalAll
functions. And this is where the problem originates from. Since the protocol owner is restricted, in the case where something happens (for example it's private key gets compromised) and it starts to misbehave, it can simply set itself or any other arbitrary address as a Rebalancer for a given Adapter of a given Tranche and then, by simply not calling therequestWithdrawal
andrequestWithdrawalAll
it will prevent most users who hold PT or YT tokens from claiming their underlying token rewards. This is because, in order for users to claim their underlying rewards from a given liquid staking adapter, a buffer amount that is >= to the underlying amount being attempted to be claimed has to be available.Theoretically, the buffer can also be filled by external users depositing directly into a given Adapter, but this is highly unlikely as there is no financial incentive to do so. And even if this was to happen, the Rebalancer can still set the target buffer percentage to as low as 1%, which will still make redemption of large underlying amounts close to impossible.
Impact
PT and YT holders might not be able to claim their underlying rewards, potentially forever
Code Snippet
BaseLSTAdapter.sol#L179 SFrxETHAdapter.sol#L81 StEtherAdapter.sol#L83
Tool used
Manual Review
Recommendation
Allow the
requestWithdrawal
andrequestWithdrawalAll
functions of the liquid staking adapters to be called by anyone after the Tranches that use them reach maturityDuplicate of #99