Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigation of M-12: mitigation error, see comments #57

Closed
code423n4 opened this issue May 8, 2023 · 5 comments
Closed

Mitigation of M-12: mitigation error, see comments #57

code423n4 opened this issue May 8, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value duplicate-67 MR-NEW satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

MITIGATION IS NOT CONFIRMED

MITIGATION IS NOT CONFIRMED

Mitigation of M-12: mitigation error, see comments

Link to Issue: code-423n4/2023-03-asymmetry-findings#150

Comments

While the proposed change correctly mitigates the issue, in the sense that it introduces a user controlled slippage for stake() and unstake(), the new changes conflict with an existing implementation that should be addressed.

Technical Details

The changeset adds a minimum output amount for the stake() and unstake() functions present in the SafEth.sol contract. If the output amount is below this limit, the transaction gets reverted, letting the user be in control of the final amounts they will receive.

This new feature is an excellent addition to the protocol. However, it conflicts with the previous slippage control, present in each of the 3 derivatives:

This means that a user may control slippage only under the (currently) 1% margin imposed in each derivative, as setting a lower amount will eventually be overridden by the limit on each derivative, which will revert the operation.

During times of high market volatility, a user may want to exit their position and set a high slippage, and eventually take losses beyond the protocol defined slippage present in each of the derivatives.

Recommendation

My recommendation is to keep the current changes in the pull request and remove the maxSlippage in each derivative. If the intention is to also have a finer control over the slippage in each individual derivative, then extend the new _minOut parameter to be one per derivative. This would allow the user to have complete control over their position. The protocol can provide safe defaults using off-chain mechanisms when the user operates through a front-end application.
code423n4 added a commit that referenced this issue May 8, 2023
@code423n4
adriro issue #57
6d09ce7
@elmutt
Copy link

elmutt commented May 8, 2023

Your issue makes sense but we awe are ok with having slippage in the derivatives as well as the main contract.

@romeroadrian romeroadrian mentioned this issue May 9, 2023
Open
@d3e4
Copy link

d3e4 commented May 10, 2023

This review doesn't explicitly mention the new issue reported in #67. But the recommendation here is essentially the same as in #67 and solves that issue as well.

@c4-judge
Copy link
Contributor

Picodes marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label May 11, 2023
@Picodes Picodes added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value selected for report This submission will be included/highlighted in the audit report and removed mitigation-confirmed labels May 17, 2023
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label May 17, 2023
@c4-judge
Copy link
Contributor

Picodes marked the issue as primary issue

@c4-judge
Copy link
Contributor

Picodes marked the issue as duplicate of #67

@c4-judge c4-judge added duplicate-67 and removed primary issue Highest quality submission among a set of duplicates labels May 17, 2023
@liveactionllama liveactionllama changed the title Mitigation Confirmed for M-12 Mitigation of M-12: mitigation error, see comments May 19, 2023
@Picodes Picodes removed the selected for report This submission will be included/highlighted in the audit report label May 22, 2023
@Picodes Picodes closed this as completed May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value duplicate-67 MR-NEW satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@elmutt @Picodes @code423n4 @liveactionllama @c4-judge @d3e4