search

sherlock-audit / 2024-06-mellow-judging

7 stars 3 forks source link

Audinarey - Protocol won't be eligible for referral rewards for depositing ETH #278

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 4 months ago

Audinarey

Medium

Protocol won't be eligible for referral rewards for depositing ETH

Summary

Protocol won't be eligible for referral rewards for depositing ETH, as the referral account is not properly set.

Vulnerability Detail

When user calls DepositWrapper::deposit(...) to deposit ETH, protocol will first deposit ETH on external protocols (e.g Lido) for minting staking shares, then warp the shares to the predefined assets wstETH, then user starts to earn reward points.

The external protocols allows caller to pass referral argument when depositing ETH, and referral account can be eligible for referral rewards if it is valid. Let's take Lido for example:

File: DepositWrapper.sol
30:     function _ethToWsteth(uint256 amount) private returns (uint256) {
31:  @>     ISteth(steth).submit{value: amount}(address(0));
32:         return _stethToWsteth(amount);
33:     }

To convert ETH to wstETH, the function submit(...) is called in the LIDO contract on L31

    function _submit(address _referral) internal returns (uint256) {
        require(msg.value != 0, "ZERO_DEPOSIT");

        StakeLimitState.Data memory stakeLimitData = STAKING_STATE_POSITION.getStorageStakeLimitStruct();
        // There is an invariant that protocol pause also implies staking pause.
        // Thus, no need to check protocol pause explicitly.
        require(!stakeLimitData.isStakingPaused(), "STAKING_PAUSED");

        if (stakeLimitData.isStakingLimitSet()) {
            uint256 currentStakeLimit = stakeLimitData.calculateCurrentStakeLimit();

            require(msg.value <= currentStakeLimit, "STAKE_LIMIT");

            STAKING_STATE_POSITION.setStorageStakeLimitStruct(stakeLimitData.updatePrevStakeLimit(currentStakeLimit - msg.value));
        }

        uint256 sharesAmount = getSharesByPooledEth(msg.value);

        _mintShares(msg.sender, sharesAmount);

        _setBufferedEther(_getBufferedEther().add(msg.value));
        emit Submitted(msg.sender, msg.value, _referral);

        _emitTransferAfterMintingShares(msg.sender, sharesAmount);
        return sharesAmount;
    }

The protocol specifies address(0) as the recipient address for the rewards as shown on L31 above and as such they wont be eligible for rewards as expected.

Impact

Protocol won't be eligible for referral rewards as expected, this can be significant value leak to the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/utils/DepositWrapper.sol#L30-L33

Tool used

Manual Review

Recommendation

User an owner controlled account as referral address instead of the `address(0).

Duplicate of #33