The USer will receive less amount than user expected
Summary
While redeeming the stack tokens, The user provides the minRedeemAmount to ensure they receive at least that amount. However, within executeRedeemStakeToken function, the minRedeemAmount check is used before deducting the fee . which could result in the user receive less amount than the expected amount.
Vulnerability Detail
The Protocol allows user to specify the minRedeemAmount to insure that the user will receive this amount or in other case the transaction will revert. The User will first submit a request for Redemption where he also specify this minRedeemAmount which user expect to receive. The Issue is in the execute redemption request flow.
As it can be observed from above code that we first convert the unStkaeUsd amount and store receive value in cache.redeemTokenAmount.Than we check for minRedeemAmount
and than we deduct the fee and transfer the remaining redeemTokenAmount to user.
Following case would occur due to this:
Bob submit a request to redeem 10e18 token and expect to receive 9e18 token.
the Protocol convert the amount using latest oracle price and get 9 token as redeemTokenAmount.
The cache.redeemTokenAmount < params.minRedeemAmount check will pass as 9e18 < 9e18.
The RedeemFeeRate=10 and RATE_PRECISION=100000 Now Applying these values to calculate the Fee amount is 9e18*10/100000= 9e14.
The amount Bob will receive is 9e18-9e14≈8.9e17.
This applies on both functions _executeRedeemStakeUsd and _executeRedeemStakeToken.
aman
Medium
The USer will receive less amount than user expected
Summary
While redeeming the stack tokens, The user provides the
minRedeemAmount
to ensure they receive at least that amount. However, withinexecuteRedeemStakeToken
function, theminRedeemAmount
check is used before deducting the fee . which could result in the user receive less amount than the expected amount.Vulnerability Detail
The Protocol allows user to specify the
minRedeemAmount
to insure that the user will receive this amount or in other case the transaction will revert. The User will first submit a request for Redemption where he also specify thisminRedeemAmount
which user expect to receive. The Issue is in the execute redemption request flow.As it can be observed from above code that we first convert the
unStkaeUsd
amount and store receive value incache.redeemTokenAmount
.Than we check forminRedeemAmount
and than we deduct the fee and transfer the remainingredeemTokenAmount
to user. Following case would occur due to this:cache.redeemTokenAmount < params.minRedeemAmount
check will pass as 9e18 < 9e18.RedeemFeeRate=10
andRATE_PRECISION=100000
Now Applying these values to calculate the Fee amount is9e18*10/100000= 9e14
.9e18-9e14≈8.9e17
.This applies on both functions
_executeRedeemStakeUsd
and_executeRedeemStakeToken
.Impact
The user will receive less amount than expected.
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/RedeemProcess.sol#L157
Tool used
Manual Review
Recommendation
Use slippage check after deducting the Fee.