The strategy always assumes a 1:1 ratio between ETH and alETH which will create issues
Summary
In multiple sections of the code, the code treats ETH and alETH as if they are always interchangeable at a 1:1 ratio. However, alETH may trade at a premium or discount relative to actual ETH. This discrepancy will lead to incorrect accounting of total assets.
Vulnerability Details
The strategy handles both ETH and alETH but assumes they have equivalent value in several places:
In the
balanceDeployed()function:
In the
_harvestAndReport()function:
The strategy simply adds ETH and alETH balances together without any price adjustment using oracle prices, which would lead to incorrect total value calculations.
In
claimAndSwap(), when comparing minimum output:
In this example, the slippage protection is incufficient as even if _minOut > _amountClaim, the price of alETH might be priced lower than ETH. Which would mean that the actual value swapped will be lower.
Impact
-
Because of the assumption that WETH and alETH remain at parity, accounting for gains or losses will be inaccurate.
-
Insufficient slippage protection in swaps:
The
_minOut > _amountClaimcheck assumes 1:1 pricingCould allow unfavorable swaps if alETH is trading below ETH
Tools Used
Manual review
Recommendations
Consider using a robust price feed that provides the current market rate between ETH and alETH
Appeal created
balanceDeployed() and _harvestAndReport() add WETH and alETH, but they have different prices
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.