Closed sherlock-admin2 closed 1 month ago
2 comment(s) were left on this issue during the judging contest.
0xmystery commented:
invalid because if a protocol's smart contracts or admin addresses get added to a "blacklist" and the functionality of the protocol is affected by this blacklist, this is not considered a valid issue
0xreadyplayer1 commented:
As contest readme states
All the external admins are trusted.
- i belive the issue is valid but out of scope.
MightyRaju
medium
EETH Deposits Would Be Non-Functional If WhiteListing Is Turned On
Summary
Note this is unrelated to if external admins are trusted , this is a feature which can be toggled in the EETH Liquidity Pool Contract . If whitelisting is turned on on the EETH liquidity pool then it would make the deposit to the weETH pool impossible (via depositing ETH or WETH) since it would always revert.
Vulnerability Detail
1.) The farming period has begun and users can now deposit to earn rewards.
2.) User holds ETH/WETH and wants to deposit into the weETH pool.
3.) Calls
depositEth
here https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L5034.) Since the user wants to deposit into the weETH pool , this code snippet would trigger
which triggers ,
5.) In the deposit function of the eETH Liquidity pool contract here https://github.com/etherfi-protocol/smart-contracts/blob/master/src/LiquidityPool.sol#L148 , it would revert if the whitelisting mechanism has been turned on by the eETH team.
Therefore , a user trying to deposit into the weETH pool would encounter a DoS and this breaks a core functionality of the contract.
Impact
A user trying to deposit into the weETH pool would encounter a DoS and this breaks a core functionality of the contract.
Code Snippet
https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L834
Tool used
Manual Review
Recommendation
These kind of risks should be acknowledged , also alt solution can be to re-route the deposit into the wstETH pool in such case.