search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

blackhole - Incorrect totalAssets amounts can manipulate the price per share value in the EETHAdapter #30

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 5 months ago

blackhole

medium

Incorrect totalAssets amounts can manipulate the price per share value in the EETHAdapter

Summary

The EETHAdapter assumes that totalAssets is equal to the sum of the totalAssets of the underlying assets(WETH). However, the eEth/ETH rate is not 1:1, which can lead to incorrect totalAssets calculations.

Vulnerability Detail

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L131

    function totalAssets() public view override returns (uint256) {
        uint256 eEthBalance = EETH.balanceOf(address(this));
        return totalQueueEth + bufferEth + eEthBalance; // @audit eEth/WETH rate is 1 ?
    }

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/BaseLSTAdapterUpgradeable.sol#L87 https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/BaseLSTAdapterUpgradeable.sol#L175

Impact

An incorrect totalAssets value can lead to manipulation of the price per share.

Code Snippet

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L131

Tool used

Manual Review

Recommendation

It's recommended to get the eEth/ETH rate from the oracle and use it to calculate the totalAssets.

sherlock-admin3 commented 4 months ago

2 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; No clear impact mentioned

PNS commented:

The eETH token represents a claim on the same amount of ETH (eETH docs)