-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardcoded slippage can cause temporary DoS #699
Comments
0xSorryNotSorry marked the issue as duplicate of #949 |
0xSorryNotSorry marked the issue as duplicate of #365 |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #588 |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #150 |
Picodes marked the issue as duplicate of #150 |
Picodes marked the issue as satisfactory |
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L173-L174
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/SfrxEth.sol#L74-L75
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/WstEth.sol#L60
Vulnerability details
Impact
There is a hardcoded slippage value for each derivative which can be changed by the owner using
setMaxSlippage()
. Because the slippage is not user-specified, if the slippage tolerance is not met, the protocol is unusable. The hardcoded slippage will result in thestake()
operation reverting if even one of the many derivatives cannot be exchanged within the slippage tolerance. Third parties can alter the exchange rate and cause the rate to be outside the slippage tolerance, preventing users from callingstake()
.Proof of Concept
If the slippage tolerance is not met during the
derivative.deposit()
call, the entirestake()
operation will revert.Every derivative has a slippage tolerance:
The simplest case of this denial of service is in Reth.sol because the Uniswap pool can be manipulated so that the price of rETH in the Uniswap pool drops below the rate calculated by
minOut
.Tools Used
Manual analysis
Recommended Mitigation Steps
Allow users to optionally specify the slippage when calling
stake()
, but use the owner-controlledmaxSlippage
if the user chooses not to specify a slippage tolerance.The text was updated successfully, but these errors were encountered: