search

sherlock-audit / 2024-01-napier-judging

9 stars 6 forks source link

KingNFT - Users would almost get no reward while investing ````CETH```` Tranche #8

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

KingNFT

medium

Users would almost get no reward while investing CETH Tranche

Summary

The CompoundV2's CETH pool is during deprecation, which causes the supply APY continusly keeps extreme low. Users would almost get no reward while investing CETH Tranche.

Vulnerability Detail

Current average APY of ETH staking market is about 3%, but CETH's APY keeps extreme low, sush as only 0.1%. As Compound V2 is under deprecation, their governance incentives users to move fund out to V3.

An example APY at 20-2-2024

The coded PoC shows the APY continusly keeps extreme low.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "forge-std/Test.sol";
import "forge-std/console2.sol";
import {CETH} from "../../../../src/Constants.sol";
import {DateTime} from "../../../../src/utils/DateTime.sol";
interface ICETH {
    function supplyRatePerBlock() external view returns (uint);
}

contract ExtremeLowAPY is Test {
    string constant MAINNET_RPC_URL = "https://mainnet.gateway.tenderly.co";
    ICETH constant cETH = ICETH(CETH);
    uint256 constant YEAR = 24 * 3600 * 365;

    function testShowAPYOfCETHDuringDeprecation() public {
        uint256 startBlock = 19266000;
        uint256 blockInterval = 7200;
        uint256 count = 30;
        for (uint256 i; i < count; ++i) {
            uint256 currentBlock = startBlock - i * blockInterval;
            vm.createSelectFork(MAINNET_RPC_URL, currentBlock);
            uint256 blockRate = cETH.supplyRatePerBlock();
            string memory dateTime = _toDateString(block.timestamp);
            string memory apy = _toPercentString(_blockRateToAPY(blockRate));
            console2.log(string.concat("[", dateTime, "]", " APY = ", apy));
        }
    }

    function _blockRateToAPY(uint256 blockRate) internal pure returns(uint256) {
        return blockRate * (YEAR / 12); // 12 seconds per block
    }

    function _toDateString(uint256 timestamp) internal pure returns (string memory) {
        (string memory d, string memory m, string memory y) = DateTime.toDateString(timestamp);
        return string.concat(d, "-", m, "-", y);
    }

    function _toPercentString(uint256 apy) internal pure returns(string memory) {
        uint256 d0 = apy / 1e17;
        uint256 d1 = (apy % 1e17) / 1e16;
        uint256 d2 = (apy % 1e16) / 1e15;
        uint256 d3 = (apy % 1e15) / 1e14;
        return string.concat(_toString(d0), _toString(d1), ".", _toString(d2), _toString(d3), "%");
    }

    function _toString(uint256 digital) internal pure returns(string memory str) {
        str = new string(1);
        bytes16 symbols = "0123456789abcdef";
        assembly {
            mstore8(add(str, 32), byte(digital, symbols))
        }
    }
}

And the test logs

2024-01-napier\napier-v1> forge test --match-test testShowAPYOfCETHDuringDeprecation -vv
[⠰] Compiling 1 files with 0.8.19
[⠔] Solc 0.8.19 finished in 1.94sCompiler run successful!
[⠒] Solc 0.8.19 finished in 1.94s

Running 1 test for test/integration/compoundV2/wrappedCETH/ExtremeLowAPY.t.sol:ExtremeLowAPY
[PASS] testShowAPYOfCETHDuringDeprecation() (gas: 1450524)
Logs:
  [20-2-2024] APY = 00.12%
  [19-2-2024] APY = 00.11%
  [18-2-2024] APY = 00.11%
  [17-2-2024] APY = 00.11%
  [16-2-2024] APY = 00.11%
  [15-2-2024] APY = 00.10%
  [14-2-2024] APY = 00.21%
  [13-2-2024] APY = 00.20%
  [12-2-2024] APY = 00.17%
  [11-2-2024] APY = 00.02%
  [9-2-2024] APY = 00.02%
  [8-2-2024] APY = 00.02%
  [7-2-2024] APY = 00.02%
  [6-2-2024] APY = 00.02%
  [5-2-2024] APY = 00.05%
  [4-2-2024] APY = 00.04%
  [3-2-2024] APY = 00.04%
  [2-2-2024] APY = 00.04%
  [1-2-2024] APY = 00.04%
  [31-1-2024] APY = 00.04%
  [30-1-2024] APY = 00.04%
  [29-1-2024] APY = 00.05%
  [28-1-2024] APY = 00.05%
  [27-1-2024] APY = 00.05%
  [26-1-2024] APY = 00.05%
  [25-1-2024] APY = 00.06%
  [24-1-2024] APY = 00.06%
  [23-1-2024] APY = 00.06%
  [22-1-2024] APY = 00.06%
  [21-1-2024] APY = 00.06%

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 29.88s

Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)

Impact

Users would almost get no reward while investing CETH Tranche, which finally makes the contract useless.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/adapters/compoundV2/WrappedCETHAdapter.sol#L23

Tool used

Manual Review

Recommendation

Integrating Compound V3 instead of V2

sherlock-admin commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Low. Future recommendations are not considered valid according to Sherlock documentation