Skip to content
This repository has been archived by the owner on Nov 24, 2024. It is now read-only.

hunter_w3b - Protocol supports eETH but doesn't consider its also a rebase token like stETH #186

Closed
sherlock-admin2 opened this issue May 24, 2024 · 3 comments
Closed

hunter_w3b - Protocol supports eETH but doesn't consider its also a rebase token like stETH #186

sherlock-admin2 opened this issue May 24, 2024 · 3 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented May 24, 2024
edited by sherlock-admin3
Loading

hunter_w3b

high

Protocol supports eETH but doesn't consider its also a rebase token like stETH

Summary

eETH is also a rebasing token like stETH it should check it's value before and after the transfer

Vulnerability Detail

eETH is also a rebasing token like stETH it should check it's value before and after the transfer

Docs for eETH

eETH launched on November 15th, 2023

eETH, brought to you by ether.fi, is a Liquid Restaking Token that allows users to stake their ETH to accrue staking rewards and automatically restake their ETH in EigenLayer.

@>> weETH is the wrapped non rebasing version of eETH that can be used throughout the DeFI ecosystem. ether.fi will >be working with DeFi partners to create utility for weETH including Balancer, Gravita, Pendle, Aura, Maverick, and many >more, as well as other layer two protocols proceeding the launch date.

Rebasing tokens, such as eETH, have a dynamic supply that can complicate their integration with DeFi platforms.

    function depositStEth(uint256 _amount, uint256 _boostAmount) external {
        IERC20(stETH).safeTransferFrom(
            msg.sender,
            address(this),
            _amount
        );

        _depositPredefinedAsset(_amount, _amount, _boostAmount, PredefinedPool.wstETH);
    }


    function depositeEth(uint256 _amount, uint256 _boostAmount) external {
        IERC20(eETH).safeTransferFrom(
            msg.sender,
            address(this),
            _amount
        );

        _depositPredefinedAsset(_amount, _amount, _boostAmount, PredefinedPool.weETH);
    }


    function _depositPredefinedAsset(uint256 _amount, uint256 _initalAmount, uint256 _boostAmount, PredefinedPool _predefinedPool) internal {

        uint256 _finalAmount;

        if (_predefinedPool == PredefinedPool.sDAI) {
            _finalAmount = _daiTOsDai(_amount);
        } else if (_predefinedPool == PredefinedPool.wstETH) {
            _finalAmount = _stEthTOwstEth(_amount);
        } else if (_predefinedPool == PredefinedPool.weETH) {
            _finalAmount = _eethTOweEth(_amount);
        } else {
            revert InvalidDeposit();
        }

        // adjust boostAmount for the new asset
        _boostAmount = _boostAmount * _finalAmount / _initalAmount;

        _deposit(typeToId[_predefinedPool], _finalAmount, _boostAmount);
    }



    function _ethTOstEth(uint256 _amount) internal returns (uint256) {
        // submit function does not return exact amount of stETH so we need to check balances
        uint256 balanceBefore = IERC20(stETH).balanceOf(address(this));
        IstETH(stETH).submit{value: _amount}(address(this));
        return (IERC20(stETH).balanceOf(address(this)) - balanceBefore);
    }

    function _stEthTOwstEth(uint256 _amount) internal returns (uint256) {
        // wrap returns exact amount of wstETH
        return IwstETH(wstETH).wrap(_amount);
    }

    function _ethTOeEth(uint256 _amount) internal returns (uint256) {
        // deposit returns exact amount of eETH
@>>        return IeETHLiquidityPool(eETHLiquidityPool).deposit{value: _amount}(address(this));
    }

Impact

Code Snippet

https://github.com/sherlock-audit/2024-05-sophon/blob/main/farming-contracts/contracts/farm/SophonFarming.sol#L832-L836

Tool used

Manual Review

Recommendation

    function _ethTOeEth(uint256 _amount) internal returns (uint256) {
          // deposit returns exact amount of eETH
+         uint256 balanceBefore = IERC20(eETH).balanceOf(address(this));
+         IeETHLiquidityPool(eETHLiquidityPool).deposit{value: _amount}(address(this));
+         return (IERC20(eETH).balanceOf(address(this)) - balanceBefore);
    }

Duplicate of #4
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels May 28, 2024
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

valid because it's the shares that matter

@sherlock-admin3 sherlock-admin3 added the Will Fix The sponsor confirmed this issue will be fixed label May 29, 2024
@sherlock-admin3 sherlock-admin3 changed the title Amusing Coconut Lark - Protocol supports eETH but doesn't consider its also a rebase token like stETH hunter_w3b - Protocol supports eETH but doesn't consider its also a rebase token like stETH Jun 1, 2024
@sherlock-admin3 sherlock-admin3 added the Reward A payout will be made for this issue label Jun 1, 2024
@sherlock-admin2
Copy link
Contributor Author

The protocol team fixed this issue in the following PRs/commits:
sophon-org/farming-contracts@73adb67

@WangSecurity WangSecurity added High A valid High severity issue and removed Medium A valid Medium severity issue labels Jun 10, 2024
@sherlock-admin2
Copy link
Contributor Author

The Lead Senior Watson signed off on the fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3