-
Notifications
You must be signed in to change notification settings - Fork 8
xiaoming90 - Stat calculator returns incorrect report for swETH #587
Comments
1 comment(s) were left on this issue during the judging contest. Trumpero commented:
|
Escalate After my discussion with the protocol team during the audit period (as shown below), the purpose of the It is incorrect that the premium for swETH is intended to be always zero, as mentioned in the judging comment. If the premium always returns zero, the stat calculator for swETH is effectively broken, which is a serious issue. The judging comment is also incorrect in stating there is no vulnerability if the premium is zero. The stat calculator exists for a reason, and an incorrect stat calculator ultimately leads to losses to the protocol, as mentioned in the "Impact" section of my report:
Thus, this is a valid High issue. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Can u take a look at this issue @codenutt ? |
Yup definitely an issue. Its more an issue with the oracle itself than the calculator, but an issue none the less. |
Planning to accept escalation and make issue high. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
xiaoming90
high
Stat calculator returns incorrect report for swETH
Summary
Stat calculator returns incorrect reports for swETH, causing multiple implications that could lead to losses to the protocol,
Vulnerability Detail
The purpose of the in-scope
SwEthEthOracle
contract is to act as a price oracle specifically for swETH (Swell ETH) per the comment in the contract below and the codebase's READMEhttps://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/SwEthEthOracle.sol#L16
Per the codebase in the contest repository, the price oracle for the swETH is understood to be configured to the
SwEthEthOracle
contract at Line 252 below.https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/test/oracles/RootOracleIntegrationTest.t.sol#L252
Thus, in the context of this audit, the price oracle for the swETH is mapped to the
SwEthEthOracle
contract.Both the swETH oracle and calculator use the same built-in
swEth.swETHToETHRate
function to retrieve the price of swETH in ETH.swEth.swETHToETHRate()
IswETH(lstTokenAddress).swETHToETHRate()
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/oracles/providers/SwEthEthOracle.sol#L26
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/SwethLSTCalculator.sol#L12
Within the$x$ when called. In this case, the $x$ since the
LSTCalculatorBase.current
function, assume that theswEth.swETHToETHRate
function returnsprice
at Line 203 below andbacking
in Line 210 below will be set togetPriceInEth
andcalculateEthPerToken
functions depend on the sameswEth.swETHToETHRate
function internally. Thus,priceToBacking
will always be 1e18:Since
priceToBacking
is always 1e18, thepremium
will always be zero:As a result, the calculator for swETH will always report the wrong statistic report for swETH. If there is a premium or discount, the calculator will wrongly report none.
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/base/LSTCalculatorBase.sol#L189
Impact
The purpose of the stats/calculators contracts is to store, augment, and clean data relevant to the LMPs. When the solver proposes a rebalance, the strategy uses the stats contracts to calculate a composite return (score) for the proposed destinations. Using that composite return, it determines if the swap is beneficial for the vault.
If a stat calculator provides inaccurate information, it can cause multiple implications that lead to losses to the protocol, such as false signals allowing the unprofitable rebalance to be executed.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/base/LSTCalculatorBase.sol#L189
Tool used
Manual Review
Recommendation
When handling the swETH within the
LSTCalculatorBase.current
function, consider other methods of obtaining the fair market price of swETH that do not rely on theswEth.swETHToETHRate
function such as external 3rd-party price oracle.The text was updated successfully, but these errors were encountered: