Closed sherlock-admin closed 7 months ago
2 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low. I don't think this is a medium vulnerability
takarez commented:
valid: the function does infact convert including the donated ETH ; medium(12)
aman
medium
RETHAdapter:prefundedRedeem
allows user to withdraw donated ETHSummary
RETHAdapter:prefundedRedeem
allow theto
address to RedeemRETH
and than transfer the total WETH balance ofRETHAdapter
contract toto
address. However there might be donated ETH in this Contract.Vulnerability Detail
The
RETHAdapter:prefundedRedeem(to)
function perform the follwoing process. 1). Extract theRETH
balance of this contract. 2). Burn the RETH token of this contract and receive the ETH from RocketPool. 3). Get the ETH balance of this contract and convert it into WETH. 4). transfer the WETH toto
address. There might be some donated ETH in this contract for whichrecoverETH
function is implemented to recover the Donated ETH by Admin. The Issue in the current implmentaton isRETHAdapter:prefundedRedeem(to)
does not care about the donated ETH and convertaddress(this).balance
to WETH.LOC
https://github.com/sherlock-audit/2024-01-napier/blob/6313f34110b0d12677b389f0ecb3197038211e12/napier-v1/src/adapters/rocketPool/RETHAdapter.sol#L82C3-L98C1
Impact
The user Will receive more WETH than expected.
Code Snippet
POC
Add this test case inside
RETHAdapter.t.sol
and run with commandforge test --mt testLLPrefundedRedeem -vvv
.Tool used
Manual Review
Recommendation
Cache the Ether Balance of Contract before calling
IRocketETH(RETH).burn(rethBal);
and minus it from Ether balance after. then converted the subtracted value into WETH and trasfer it toto
address.