search

sherlock-audit / 2024-05-elfi-protocol-judging

0 stars 0 forks source link

blackhole - The `minRedeemAmount` validation check does not consider the actual redeem amount #247

Closed sherlock-admin2 closed 1 week ago

sherlock-admin2 commented 2 weeks ago

blackhole

Medium

The minRedeemAmount validation check does not consider the actual redeem amount

Summary

The minRedeemAmount validation is intended to ensure that users cannot redeem less than a specified minimum amount of stake tokens. However, the validation check does not account for the deduction of the redeemFee, allowing users to redeem an amount that is effectively less than minRedeemAmount.

Vulnerability Detail

The _executeRedeemStakeUsd function includes a validation check for the minRedeemAmount here: https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L203

    function _executeRedeemStakeUsd(
        UsdPool.Props storage pool,
        address stakeUsdToken,
        Redeem.Request memory params
    ) internal returns (uint256) {
        ...
        if (params.minRedeemAmount > 0 && redeemTokenAmount < params.minRedeemAmount) { // @audit should be checked after redeemFee calculation
            revert Errors.RedeemStakeTokenTooSmall(redeemTokenAmount);
        }
        if (pool.getMaxWithdraw(params.redeemToken) < redeemTokenAmount) {
            revert Errors.RedeemWithAmountNotEnough(params.account, params.redeemToken);
        }

        uint256 redeemFee = FeeQueryProcess.calcMintOrRedeemFee(
            redeemTokenAmount,
            AppPoolConfig.getUsdPoolConfig().redeemFeeRate
        );
        FeeProcess.chargeMintOrRedeemFee(
            redeemFee,
            params.stakeToken,
            params.redeemToken,
            params.account,
            FeeProcess.FEE_REDEEM,
            false
        );

        StakeToken(params.stakeToken).burn(account, params.unStakeAmount);
        StakeToken(params.stakeToken).transferOut(params.redeemToken, params.receiver, redeemTokenAmount - redeemFee); // @audit transferred redeemTokenAmount - redeemFee
        ...

The validation check for minRedeemAmount occurs before the redeemFee is deducted. As a result, users can redeem an amount less than the minRedeemAmount after the fee is deducted.(https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L224)

Impact

This vulnerability allows users to redeem stake tokens less than the minRedeemAmount.

Code Snippet

The function _executeRedeemStakeToken includes a validation check for the minRedeemAmount.(https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L157)

_executeRedeemStakeUsd (https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L203)

Tool used

Manual Review

Recommendation

Use the minRedeemAmount validation check after the redeemFee deduction to prevent users from redeeming stake tokens less than the minRedeemAmount.

Duplicate of #251

sherlock-admin2 commented 2 weeks ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/0xCedar/elfi-perp-contracts/pull/28