Incorrect TVL Calculation in convertToUnitOfAccountFromRestakingTokens Leads to Potential Exploitation
Summary
Vulnerability Detail
The root cause of the vulnerability "Incorrect TVL Calculation in convertToUnitOfAccountFromRestakingTokens Leads to Potential Exploitation" in the provided code is that the function convertToUnitOfAccountFromRestakingTokens incorrectly calculates the Total Value Locked (TVL) by multiplying the TVL with the amount and dividing by the total supply of tokens. This calculation assumes that the TVL is directly proportional to the total supply of tokens, which may not always be the case.
This incorrect calculation can lead to potential exploitation as it can result in inaccurate conversions and manipulations of the TVL value. This can be exploited by malicious actors to gain an unfair advantage or manipulate the system in their favor.
An attacker could exploit this vulnerability by manipulating the TVL value in order to inflate the value of their tokens. By providing a false or manipulated TVL value, the attacker could trick the system into returning a higher value for their tokens than they actually have. This could lead to potential exploitation and financial gain for the attacker.
Proof of Concept (PoC) code:
Attacker manipulates the TVL value in the system:
function manipulateTVL(uint256 newTVL) public {
tvl = newTVL;
}
Attacker calls the convertToUnitOfAccountFromRestakingTokens function with a large amount of tokens:
function exploitVulnerability() public {
uint256 amount = 1000; // large amount of tokens
uint256 manipulatedTVL = 1000000; // manipulated TVL value
manipulateTVL(manipulatedTVL);
uint256 convertedValue = convertToUnitOfAccountFromRestakingTokens(amount);
// Attacker gains profit from the manipulated TVL value
// Do something with the convertedValue
}
By manipulating the TVL value in the system, the attacker can exploit the vulnerability in the convertToUnitOfAccountFromRestakingTokens function to gain profit from the inflated token value.
Impact
The contract's convertToUnitOfAccountFromRestakingTokens function calculates the value of restaking tokens based on a potentially outdated total value locked (TVL) without updating it to reflect real-time accrued interest.
To fix this issue, the calculation should be based on a more accurate metric that reflects the actual value of the tokens being staked. One possible solution is to use the ratio of the amount being staked to the total supply, rather than the TVL. This would provide a more accurate representation of the value of the tokens being restaked.
Here is an example of a patched code that addresses the vulnerability:
In this patched code, the calculation has been changed to *amount amount / supply**, which uses the ratio of the amount being staked to the total supply to calculate the value in unit of account. This change provides a more accurate representation of the value of the tokens being restaked and mitigates the potential exploitation of the vulnerability.
Anubis
high
Incorrect TVL Calculation in convertToUnitOfAccountFromRestakingTokens Leads to Potential Exploitation
Summary
Vulnerability Detail
The root cause of the vulnerability "Incorrect TVL Calculation in convertToUnitOfAccountFromRestakingTokens Leads to Potential Exploitation" in the provided code is that the function convertToUnitOfAccountFromRestakingTokens incorrectly calculates the Total Value Locked (TVL) by multiplying the TVL with the amount and dividing by the total supply of tokens. This calculation assumes that the TVL is directly proportional to the total supply of tokens, which may not always be the case.
This incorrect calculation can lead to potential exploitation as it can result in inaccurate conversions and manipulations of the TVL value. This can be exploited by malicious actors to gain an unfair advantage or manipulate the system in their favor.
An attacker could exploit this vulnerability by manipulating the TVL value in order to inflate the value of their tokens. By providing a false or manipulated TVL value, the attacker could trick the system into returning a higher value for their tokens than they actually have. This could lead to potential exploitation and financial gain for the attacker.
Proof of Concept (PoC) code:
By manipulating the TVL value in the system, the attacker can exploit the vulnerability in the convertToUnitOfAccountFromRestakingTokens function to gain profit from the inflated token value.
Impact
The contract's convertToUnitOfAccountFromRestakingTokens function calculates the value of restaking tokens based on a potentially outdated total value locked (TVL) without updating it to reflect real-time accrued interest.
Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTCoordinator.sol#L175-L183
Tool used
Manual Review
Recommendation
To fix this issue, the calculation should be based on a more accurate metric that reflects the actual value of the tokens being staked. One possible solution is to use the ratio of the amount being staked to the total supply, rather than the TVL. This would provide a more accurate representation of the value of the tokens being restaked.
Here is an example of a patched code that addresses the vulnerability:
In this patched code, the calculation has been changed to *amount amount / supply**, which uses the ratio of the amount being staked to the total supply to calculate the value in unit of account. This change provides a more accurate representation of the value of the tokens being restaked and mitigates the potential exploitation of the vulnerability.