Slippage defined by the Owner may freeze user funds during market turbulence #460
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-150
low quality report
This report is of especially low quality
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L44
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/SfrxEth.sol#L38
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/WstEth.sol#L35
Vulnerability details
The 3 derivatives contracts have a slippage initially defined to 1% and under the control of the owner, not the users.
Impact
In case of volatility and depeg events of one of the derivatives, no withdrawal will be possible on all SafETH. The users should wait for the owner to change the slippage. In case of Emergency the users are stuck with no way to withdraw their funds and do what they please with their token.
Proof of Concept
A depeg Event happens caused by a hack, or temporary pause by one the protocol of withdrawals https://twitter.com/LidoFinance/status/1632783634192007168?lang=en, or other unexepected event.
The withdrawals from the protocol won’t happen anymore until slippage is changed.
Tools Used
Manual review
Recommended Mitigation Steps
• Allow a user controlled Slippage
• Allow users to withdraw in kind from SafETH ( Reth, WstETH, SFrxEth…)
The text was updated successfully, but these errors were encountered: