Hardcoded slippage can cause temporary DoS #699
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-150
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
0xSorryNotSorry marked the issue as duplicate of #949 |
|
0xSorryNotSorry marked the issue as duplicate of #365 |
|
Picodes marked the issue as not a duplicate |
|
Picodes marked the issue as duplicate of #588 |
|
Picodes marked the issue as not a duplicate |
|
Picodes marked the issue as not a duplicate |
|
Picodes marked the issue as duplicate of #150 |
|
Picodes marked the issue as duplicate of #150 |
|
Picodes marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L173-L174
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/SfrxEth.sol#L74-L75
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/WstEth.sol#L60
Vulnerability details
Impact
There is a hardcoded slippage value for each derivative which can be changed by the owner using
setMaxSlippage(). Because the slippage is not user-specified, if the slippage tolerance is not met, the protocol is unusable. The hardcoded slippage will result in thestake()operation reverting if even one of the many derivatives cannot be exchanged within the slippage tolerance. Third parties can alter the exchange rate and cause the rate to be outside the slippage tolerance, preventing users from callingstake().Proof of Concept
If the slippage tolerance is not met during the
derivative.deposit()call, the entirestake()operation will revert.Every derivative has a slippage tolerance:
The simplest case of this denial of service is in Reth.sol because the Uniswap pool can be manipulated so that the price of rETH in the Uniswap pool drops below the rate calculated by
minOut.Tools Used
Manual analysis
Recommended Mitigation Steps
Allow users to optionally specify the slippage when calling
stake(), but use the owner-controlledmaxSlippageif the user chooses not to specify a slippage tolerance.The text was updated successfully, but these errors were encountered: