Zaros Part 1

Summary

The stETH balance of an account could be lower of 1-2 wei because of rounding down. The rounding down issue is not problematic only for when the balance is displayed, but also when transfers are performed. Transferring amount from accountA to accountB could lead accountB to receive less amount.In the vault.deposit() function, the protocol receives less than expected, yet it still uses the amount for calculations. This results in inaccurate subsequent calculations.
A similar issue arises with fee-on-transfer tokens, where the received amount is less than the intended transfer, causing the protocol to record a higher amount than actually received.

Vulnerability Details

In the depositMargin() function, the protocol calls safeTransferFrom() to transfer funds from msg.sender. Afterward, the protocol credits the corresponding amount to the tradingAccount. However, there is a known 1-2 wei corner case with stETH, as detailed in the Lido documentation, where the amount received by the protocol through safeTransferFrom() may not exactly match the intended amount. The protocol currently records the amount as per the intended transfer, which might slightly exceed the actual amount received. This discrepancy can lead to a situation where the last user is unable to withdraw their full balance. A similar issue arises with fee-on-transfer tokens, where the received amount is less than the intended transfer, causing the protocol to record a higher amount than actually received.

Impact

This discrepancy can lead to a situation where the last user is unable to withdraw their full balance.

Tools Used

Vscode

Recommendations

Use the amount received before the transfer and after the transfer to check the actual amount received by the protocol. Then, use the actual received amount for the calculations.