DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Protocol assumes that stETH == rETH == ETH, but that's wrong

T1MOH

Summary

Bridge's function getZethValue() must return locked amount of ETH, however now it returns balance of LST. Firstly LST value deviates from ETH, secondly protocol will overvalue them in case of stETH or rETH collapses.

Vulnerability Details

Bridges return balance of LST, instead of ETH equivalent

function getZethValue() external view returns (uint256) {
IRocketTokenRETH rocketETHToken = _getRethContract();
return rocketETHToken.getEthValue(rocketETHToken.balanceOf(address(this)));
}
function getZethValue() external view returns (uint256) {
return steth.balanceOf(address(this));
}

For example current price of rETH is 1.085 ETH

Function getZethValue() is used in LibVault.getZethTotal(), that is used in LibVault.updateYield(). As a result yield is incorrectly calculated. I consider it redundant to describe step by step why yield is calculated in a wrong way, because pricing of locked value in vault is critical issue by definition.
But can describe it more carefully in escalation period

Impact

Incorrect pricing will definitely introduce price manipulation attack in case of price deviation of stETH or rETH.

Tools Used

Manual Review

Recommendations

Convert stETH and rETH into ETH in functions getZethValue()

Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-579

T1MOH Submitter
about 2 years ago
0xnevi Lead Judge
about 2 years ago
0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-579

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.