search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

KupiaSec - EETHAdapter.totalAssets() returns wrong value #79

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 5 months ago

KupiaSec

medium

EETHAdapter.totalAssets() returns wrong value

Summary

EETHAdapter.totalAssets() returns wrong value and this can affect BaseLSTAdaper.prefundedDeposit() and Tranche.issue().

Vulnerability Detail

EETHAdapter.totalAssets() returns the sum of totalQueueEth, bufferEth and eEthBalance. 

EETHAdapter.sol
129:     function totalAssets() public view override returns (uint256) {
130:         uint256 eEthBalance = EETH.balanceOf(address(this));
131:         return totalQueueEth + bufferEth + eEthBalance; 
132:     }

The problem is totalQueueEth and bufferEth are in terms of ETH, but eEthBalance is in terms of EETH. EETH is ether.fi Staked ETH, and the price EETH is not the same as ETH. 1 EETH is almost 1 ETH in most cases, but it can vary from 0.88 ETH to 1.3 ETH in some cases. As a result, EETHAdapter.totalAssets() returns wrong value and this can affect BaseLSTAdaper.prefundedDeposit() and Tranche.issue(). Tranche.issue() is very important in Napier protocol so this error can affect overall workflow of Napier protocol.

Impact

EETHAdapter.totalAssets() returns wrong value and Tranche.issue() might not work as intended.

Tool used

Manual Review

Code Snippet

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L129-L132

Recommendation

Get equivalent ETH value from EETH balance in EETHAdapter.totalAssets()

sherlock-admin2 commented 4 months ago

2 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; No clear impact mentioned

PNS commented:

The eETH token represents a claim on the same amount of ETH (eETH docs)