H-01 MitigationConfirmed

[c4-submissions]

Lines of code

Vulnerability details

In the previous implementation, cbETH, rETH, ankrETH Use ETH as ref
But it should actually be ETH2, and token.exchangeRate() is for ETH2 and the corresponding pegPricei s inaccurate

Mitigation

PR 899
Adjusted to EHT2 and introduced targetPerTokChainlinkFeed instead of _underlyingRefPerTok for price calculation
the mitigation resolved the original issue.

obscure

Reth Is to provide reth.burn() get eth from reth via getExchangeRate() without loss.
https://etherscan.io/token/0xae78736cd615f374d3085123a210448e74fc6393#code

    // Burn rETH for ETH
    function burn(uint256 _rethAmount) override external {
        // Check rETH amount
        require(_rethAmount > 0, "Invalid token burn amount");
        require(balanceOf(msg.sender) >= _rethAmount, "Insufficient rETH balance");
        // Get ETH amount
@>      uint256 ethAmount = getEthValue(_rethAmount);
        // Get & check ETH balance
        uint256 ethBalance = getTotalCollateral();
        require(ethBalance >= ethAmount, "Insufficient ETH balance for exchange");
        // Update balance & supply
        _burn(msg.sender, _rethAmount);
        // Withdraw ETH from deposit pool if required
        withdrawDepositCollateral(ethAmount);
        // Transfer ETH to sender
@>      msg.sender.transfer(ethAmount);
        // Emit tokens burned event
        emit TokensBurned(msg.sender, _rethAmount, ethAmount, block.timestamp);
    }

So it makes sense for reth to use eth as a ref.
It's a slightly different situation than cbETH, ankrETH.

[c4-judge]

thereksfour marked the issue as satisfactory