bronze_pickaxe - Users depositing rebase tokens will lose points and funds

[sherlock-admin3]

bronze_pickaxe

medium

Users depositing rebase tokens will lose points and funds

Summary

Usage of rebase tokens will lead to lost points and funds.

Vulnerability Detail

A user can deposit rebase tokens likestETH and eETH into SophonFarming.sol using the deposit* functions. We will be focussing on stETH in this report but the same applies to eETH.

A user can deposit stETH usingdepositStEth(): SophonFarming.sol#L473-L481)

    function depositStEth(uint256 _amount, uint256 _boostAmount) external {
        IERC20(stETH).safeTransferFrom(
            msg.sender,
            address(this),
            _amount
        );

        _depositPredefinedAsset(_amount, _amount, _boostAmount, PredefinedPool.wstETH);
    }

As per the Lido docs:

stETH is a transferable rebasing utility token representing a share of the total ETH staked 
through the protocol, which consists of user deposits and staking rewards. 
Because stETH rebases daily, it communicates the position of the share daily.
The mechanism which updates the stETH balances every day is called a “rebase”. 
Every day at 12PM UTC the amount of stETH in your address will increase with the current APR. 

stETH is a rebase token, which means that overtime, the balance of a user increases with the current APR. This is a problem in the current iteration of the project.

Impact

• Alice deposits 1000e18 stETH for 30 days to earn points.
• During these 30 days, Alice will only earn points on the initial deposited 1000e18 stETH, even though that the 1000e18 stETH has increased over the 30 days.
• Furthermore, when Alice decides to withdraw, she will only be able to withdraw 1000e18 stETH, even though her initial deposit has increased due to the rebases during the 30 days.
  • At the time of writing, Alice will have lost ~10k USD using Lido's Rewards Calculator.

Note that the same applies to the usage of eETH.

Code Snippet

    function depositStEth(uint256 _amount, uint256 _boostAmount) external {
        IERC20(stETH).safeTransferFrom(
            msg.sender,
            address(this),
            _amount
        );

        _depositPredefinedAsset(_amount, _amount, _boostAmount, PredefinedPool.wstETH);
    }

Tool used

Manual Review

Recommendation

Handle rebase tokens differently or don't use them at all.

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because that's the trade off for point farming. However, stETH rebases based off its value against ETH