search

sherlock-audit / 2024-05-sophon-judging

2 stars 2 forks source link

MightyRaju - EETH Deposits Would Be Non-Functional If WhiteListing Is Turned On #135

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

MightyRaju

medium

EETH Deposits Would Be Non-Functional If WhiteListing Is Turned On

Summary

Note this is unrelated to if external admins are trusted , this is a feature which can be toggled in the EETH Liquidity Pool Contract . If whitelisting is turned on on the EETH liquidity pool then it would make the deposit to the weETH pool impossible (via depositing ETH or WETH) since it would always revert.

Vulnerability Detail

1.) The farming period has begun and users can now deposit to earn rewards.

2.) User holds ETH/WETH and wants to deposit into the weETH pool.

3.) Calls depositEth here https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L503

4.) Since the user wants to deposit into the weETH pool , this code snippet would trigger 

} else if (_predefinedPool == PredefinedPool.weETH) {
            _finalAmount = _ethTOeEth(_finalAmount);
        }

which triggers , 

function _ethTOeEth(uint256 _amount) internal returns (uint256) {
        // deposit returns exact amount of eETH
        return IeETHLiquidityPool(eETHLiquidityPool).deposit{value: _amount}(address(this));
    }

5.) In the deposit function of the eETH Liquidity pool contract here https://github.com/etherfi-protocol/smart-contracts/blob/master/src/LiquidityPool.sol#L148 , it would revert if the whitelisting mechanism has been turned on by the eETH team.

Therefore , a user trying to deposit into the weETH pool would encounter a DoS and this breaks a core functionality of the contract.

Impact

A user trying to deposit into the weETH pool would encounter a DoS and this breaks a core functionality of the contract.

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L834

Tool used

Manual Review

Recommendation

These kind of risks should be acknowledged , also alt solution can be to re-route the deposit into the wstETH pool in such case.

sherlock-admin4 commented 1 month ago

2 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because if a protocol's smart contracts or admin addresses get added to a "blacklist" and the functionality of the protocol is affected by this blacklist, this is not considered a valid issue

0xreadyplayer1 commented:

As contest readme states All the external admins are trusted.- i belive the issue is valid but out of scope.