DittoETH

Summary

Using multiple LSTs in one Vault can lead to negative consequences and increases the chance of a black swan event where all assets of a vault are no longer backed by enough collateral.

Vulnerability Details

If for example a black swan event happens and one of the LST tokens inside a Vault drops drastically in price, users could misuse the protocol to swap these two LSTs in a 1:1 ratio to make profits. This would leave the system with only the bad tokens, and therefore all assets are no longer backed and all users of the system lose their funds. Such an event can not be prevented by the system, but by using one LST per Vault the chances of such an event can be reduced drastically and if it occurs only the users of one LST are affected and not the users of multiple ones.

Also, using multiple LSTs per Vault could be misused by users to buy LSTs cheaper by saving fees. For example:

• User deposits 100 ETH to mint LST1 paying a fee buying fee for 5 ETH

• User receives 95 zETH

• User pays the 95 zETH to receive 95 LST2

If now the minting fee for LST2 would have been 10% instead of the 5% of LST1 users can buy LST2 cheaper by doing this and therefore there as users take advantage of this, there will be no more LST2 left for the people who deposited in LST2 (because they swapped everything) and if the person would like to withdraw in LST2 again they are not able to, as more LST2 must be minted before being able to withdraw.

Impact

Users could take advantage of the possibility to swap tokens over the system. This increases the chance of a black swan event, which leads to a lot of unbacked assets and allow users to make profits on other users in an unintended way.

Tools Used

Manual Review

Recommendations

Limit every Vault to one LST.