search

sherlock-audit / 2024-02-rio-network-core-protocol-judging

4 stars 4 forks source link

zraxx - No slippage protection in depositing #14

Closed sherlock-admin closed 7 months ago

sherlock-admin commented 7 months ago

zraxx

medium

No slippage protection in depositing

Summary

No slippage protection in depositing

Vulnerability Detail

In the function deposit and depositETH, users despoit a certain amount of tokens and obtain corresponding shares. However, the calculation of shares relies on real-time prices and total supply, and the protocol does not provide users with slippage protection, which may result in users receiving much lower shares than expected.

For example, in function convertToUnitOfAccountFromAsset, protocol obtains the real-time price and calculates the value, which causes the value to fluctuate with real-time prices.

    function convertToUnitOfAccountFromAsset(address asset, uint256 amount) public view returns (uint256) {
        if (asset == ETH_ADDRESS) {
            return amount;
        }
        address priceFeed = assetInfo[asset].priceFeed;
        uint256 price = getPrice(priceFeed);

        return _normalizeDecimals(price * amount / priceScale, assetInfo[asset].decimals, priceFeedDecimals);
    }

Impact

Users receive much lower shares than expected.

Code Snippet

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTCoordinator.sol#L77-L93

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTAssetRegistry.sol#L188-L196

Tool used

Manual Review

Recommendation

Add corresponding slippage protection.

Duplicate of #214

solimander commented 7 months ago

The value fluctuates with real-time prices, but there is no price impact. For this reason, there are no plans to add slippage protection.