Slippage defined by the Owner may freeze user funds during market turbulence

[code423n4]

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L44
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/SfrxEth.sol#L38
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/WstEth.sol#L35

Vulnerability details

The 3 derivatives contracts have a slippage initially defined to 1% and under the control of the owner, not the users.

Impact

In case of volatility and depeg events of one of the derivatives, no withdrawal will be possible on all SafETH. The users should wait for the owner to change the slippage. In case of Emergency the users are stuck with no way to withdraw their funds and do what they please with their token.

Proof of Concept

A depeg Event happens caused by a hack, or temporary pause by one the protocol of withdrawals https://twitter.com/LidoFinance/status/1632783634192007168?lang=en, or other unexepected event.
The withdrawals from the protocol won’t happen anymore until slippage is changed.

Tools Used

Manual review

Recommended Mitigation Steps

• Allow a user controlled Slippage
• Allow users to withdraw in kind from SafETH ( Reth, WstETH, SFrxEth…)

[c4-pre-sort]

0xSorryNotSorry marked the issue as low quality report

[c4-pre-sort]

0xSorryNotSorry marked the issue as duplicate of #814

[c4-judge]

Picodes marked the issue as duplicate of #588

[c4-judge]

Picodes marked the issue as not a duplicate

[c4-judge]

Picodes marked the issue as duplicate of #150

[c4-judge]

Picodes marked the issue as satisfactory

[c4-judge]

Picodes changed the severity to 2 (Med Risk)