Back to 0xd1r4cde17a's contests

Asymmetry contest - 0xd1r4cde17a's results

A protocol to help diversify and decentralize liquid staking derivatives.

General Information

Platform: Code4rena

Start Date: 24/03/2023

Pot Size: $49,200 USDC

Total HM: 20

Participants: 246

Period: 6 days

Judge: Picodes

Total Solo HM: 1

Id: 226

League: ETH

Asymmetry Finance

Findings Distribution

Researcher Performance

Rank: 68/246

Findings: 1

Award: $81.32

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAsymmetry Finance

Findings Information

🌟 Selected for report: CodingNameKiki

Also found by: 0xd1r4cde17a, Franfran, MadWookie, MiloTruck, Moliholy, adriro, ast3ros, bin2chen, giovannidisiena, gjaldon, igingu, koxuan, rbserver, rvierdiiev, shaka, slippopz

Awards

81.3214 USDC - $81.32

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-1004

External Links

Link to GitHub issue

Lines of code

ttps://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L72-L75 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L211-L216 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L212 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L146-L149

Vulnerability details

Impact

Detailed description of the impact of this finding.

Under certain conditions, staking and unstaking may yield vastly different amounts of tokens. This is because staking calculates underlyingValue in an incorrect way for Reth when the balance staked is in the order of magnitude of rocketDAOProtocolSettingsDeposit.getMaximumDepositPoolSize().

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

The underlyingValue calculation is here. https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L72-L75

     underlyingValue +=
                    (derivatives[i].ethPerDerivative(derivatives[i].balance()) *
                        derivatives[i].balance()) /
                    10 ** 18;

The value is computed using ethPerDerivative (for Reth is here: https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L211-L216). Semantically, the underlyingValue calculation should not depend on logic in poolCanDeposit(_amount) called in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L212 which depends on logic such as https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L146-L149.

Note that the logic in stake() https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92-L94 depends on ethPerDerivative but the logic in unstake() does not

Tools Used

Manual

Separate the logic used for calculating deposit values and for calculating underlyingValue

#0 - c4-pre-sort

2023-04-04T17:41:05Z

0xSorryNotSorry marked the issue as duplicate of #1004

#1 - c4-judge

2023-04-21T14:06:28Z

Picodes marked the issue as satisfactory

#2 - c4-judge

2023-04-24T21:40:10Z

Picodes changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter