Asymmetry contest - 0xl51's results

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L91 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L92 https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L228

Vulnerability details

Impact

The probability of the following events are theoretically possible, but considered as low. Although the impact is of a high importance.

Proof of Concept

In function stake(https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/SafEth.sol#L91) in SafEth.sol contract Bob decides to stake e.g. 2k ETH. This case scenario is possible due to the fact that the owner can set maxDeposit to be an integer as high as MAX_UINT. maxSlippage doesn't have any range in which could be set, so in a scenario in which the max slippage is set to e.g. 0.5e18(50%) for Reth. The weights for each derivative doesn't have any particular range in which could be set so the weight of the Reth in the index can variable from 0 - maxUint. When Bob stakes his 2k ETH if the weight of Reth at that moment is e.g. 50%, Bob is highly likely to hit the cap of the rocketDepositPool with the deposit of 1k ETH and poolCanDeposit fn to return false because rocketDepositPool.getBalance() + _amount <= rocketDAOProtocolSettingsDeposit.getMaximumDepositPoolSize(). This will lead to the swap in https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/Reth.sol#L177, where the fee tier for the pool is statically typed:

Reth.sol

```
            uint256 amountSwapped = swapExactInputSingleHop(
                W_ETH_ADDRESS,
                rethAddress(),
                500,
                msg.value,
                minOut
            );` 
 ```

Then after the deposit function in Reth.sol has completed, the new spot price will be extracted again with the deposit amount left after the swap: SafEth.sol

```
          uint derivativeReceivedEthValue = (derivative.ethPerDerivative(
                depositAmount
            ) * depositAmount) / 10 ** 18;
           
 ```

Reth.sol ...

```

        function poolPrice() private view returns (uint256) {
        address rocketTokenRETHAddress = RocketStorageInterface(
            ROCKET_STORAGE_ADDRESS
        ).getAddress(
                keccak256(
                    abi.encodePacked("contract.address", "rocketTokenRETH")
                )
            );
        IUniswapV3Factory factory = IUniswapV3Factory(UNI_V3_FACTORY);
        IUniswapV3Pool pool = IUniswapV3Pool(
            factory.getPool(rocketTokenRETHAddress, W_ETH_ADDRESS, 500)
        );
        (uint160 sqrtPriceX96, , , , , , ) = pool.slot0();
        return (sqrtPriceX96 * (uint(sqrtPriceX96)) * (1e18)) >> (96 * 2);
    }
 ```

After derivativeReceivedEthValue is calculated with the new price Bob will be then minted more tokens because of the inflated price of rETH in the pool with fee tier of 500.

```
            totalStakeValueEth += derivativeReceivedEthValue;
            uint256 mintAmount = (totalStakeValueEth * 10 ** 18) / preDepositPrice;
 ```

Tools Used

_

Recommended Mitigation Steps

Use TWAP oracle implementation from Uniswap V3.