The minRedeemAmount validation check does not consider the actual redeem amount
Summary
The minRedeemAmount validation is intended to ensure that users cannot redeem less than a specified minimum amount of stake tokens.
However, the validation check does not account for the deduction of the redeemFee, allowing users to redeem an amount that is effectively less than minRedeemAmount.
blackhole
Medium
The
minRedeemAmount
validation check does not consider the actual redeem amountSummary
The
minRedeemAmount
validation is intended to ensure that users cannot redeem less than a specified minimum amount of stake tokens. However, the validation check does not account for the deduction of theredeemFee
, allowing users to redeem an amount that is effectively less thanminRedeemAmount
.Vulnerability Detail
The
_executeRedeemStakeUsd
function includes a validation check for theminRedeemAmount
here: https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L203The validation check for
minRedeemAmount
occurs before theredeemFee
is deducted. As a result, users can redeem an amount less than theminRedeemAmount
after the fee is deducted.(https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L224)Impact
This vulnerability allows users to redeem stake tokens less than the minRedeemAmount.
Code Snippet
The function
_executeRedeemStakeToken
includes a validation check for theminRedeemAmount
.(https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L157)_executeRedeemStakeUsd
(https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L203)Tool used
Manual Review
Recommendation
Use the
minRedeemAmount
validation check after theredeemFee
deduction to prevent users from redeeming stake tokens less than theminRedeemAmount
.Duplicate of #251