Closed sherlock-admin3 closed 4 months ago
2 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; No clear impact mentioned
PNS commented:
The eETH token represents a claim on the same amount of ETH (eETH docs)
blackhole
medium
Incorrect totalAssets amounts can manipulate the price per share value in the EETHAdapter
Summary
The EETHAdapter assumes that totalAssets is equal to the sum of the totalAssets of the underlying assets(WETH). However, the eEth/ETH rate is not 1:1, which can lead to incorrect totalAssets calculations.
Vulnerability Detail
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L131
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/BaseLSTAdapterUpgradeable.sol#L87 https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/BaseLSTAdapterUpgradeable.sol#L175
Impact
An incorrect totalAssets value can lead to manipulation of the price per share.
Code Snippet
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L131
Tool used
Manual Review
Recommendation
It's recommended to get the eEth/ETH rate from the oracle and use it to calculate the totalAssets.