This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
carrotsmuggler - Slashing during LSTCalculatorBase.sol deployment can show bad apr for months
#824
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
Medium
A valid Medium severity issue
Reward
A payout will be made for this issue
Sponsor Disputed
The sponsor disputed this issue's validity
Comments
github-actions
bot
added
Medium
This was referenced Sep 11, 2023
Closed
sherlock-admin2
changed the title
LSTCalculatorBase.sol deployment can show bad apr for monthsLSTCalculatorBase.sol deployment can show bad apr for months
|
This behavior is acceptable. If we happen to see a slash > 12 bps over the initial 9 days, yes, we set it to 0. It increases the ramp time for that LST so pools with that LST will be set aside for a while until some APR (incentive, etc) comes up. For larger slashes that are more material (> 25bps), we have a 90 day penalty anyway. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
carrotsmuggler
medium
Slashing during
LSTCalculatorBase.soldeployment can show bad apr for monthsSummary
Slashing during
LSTCalculatorBase.soldeployment can show bad apr for monthsVulnerability Detail
The contract
LSTCalculatorBase.solhas some functions to calculate the rough APR expected from a liquid staking token. The contract is first deployed, and the first snapshot is taken afterAPR_FILTER_INIT_INTERVAL_IN_SEC, which is 9 days. It then calculates the APR between the deployment and this first snapshot, and uses that to initialize the APR value. It uses the functioncalculateAnnualizedChangeMinZeroto do this calculation.The issue is that the function
calculateAnnualizedChangeMinZerohas a floor of 0. So if the backing of the LST decreases over that 9 days due to a slashing event in that interval, this function will return 0, and the initial APR andbaseAprwill be set to 0.The calculator is designed to update the APR at regular intervals of 3 days. However, the new apr is given a weight of 10% and the older apr is given a weight of 90% as seen below.
And alpha is hardcoded to 0.1. So if the initial APR starts at 0 due to a slashing event in the initial 9 day period, a large number of updates will be required to bring the APR up to the correct value.
Assuming the correct APR of 6%, and an initial APR of 0%, we can calculate that it takes upto 28 updates to reflect close the correct APR. This transaltes to 84 days. So the wrong APR cann be shown for upto 3 months. Tha protocol uses these APR values to justify the allocation to the various protocols. Thus a wrong APR for months would mean the protocol would sub optimally allocate funds for months, losing potential yield.
Impact
The protocol can underperform for months due to slashing events messing up APR calculations close to deployment date.
Code Snippet
https://github.com/sherlock-audit/2023-06-tokemak/blob/main/v2-core-audit-2023-07-14/src/stats/calculators/base/LSTCalculatorBase.sol#L108-L110
Tool used
Manual Review
Recommendation
It is recommended to initialize the APR with a specified value, rather than calculate it over the initial 9 days. 9 day window is not good enough to get an accurate APR, and can be easily manipulated by a slashing event.
The text was updated successfully, but these errors were encountered: