Asymmetry contest - NoamYakov's results

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/main/contracts/SafEth/derivatives/WstEth.sol#L60

Vulnerability details

Impact

The unstake() function calls the withdraw() function of every derivative. The WstEth.withdraw() function calls IStEthEthPool(LIDO_CRV_POOL).exchange() to swap its stETH tokens with ETH. However, the min_dy argument that is passed to this function is miscalculated.

The function calculates minOut like that

uint256 minOut = (stEthBal * (10 ** 18 - maxSlippage)) / 10 ** 18;

and passes its value to the exchange() function as its min_dy argument. In our case, this argument specifies the minimum amount of ETH that the contract is willing to accept in exchange to the amount of stETH tokens it swaps.

The miscalculation here is that minOut is calculated in units stETH, instead of ETH. This means that if ETH is more expensive than stETH, minOut would be larger than intended - too large that the exchange() would have to revert because it couldn't offer the contract the minimum amount of ETH it asked to receive for the swap to succeed.

Because of the calculation of minOut take the maxSlippage in consideration - the ration between the prices of ETH and stETH must be smaller than 1e18 - maxSlippage for the exchange() function to revert.

Proof of Concept

If the ratio between the prices of ETH and stETH is smaller than 1e18 - maxSlippage - every call to unstake() would revert and fail. All the funds would be frozen until either:

• The ratio between the prices of ETH and stETH goes back above 1e18 - maxSlippage by itself
• The owner increases the maxSlippage just enough to make that ratio above 1e18 - maxSlippage

Tools Used

Manual code review.

Recommended Mitigation Steps

Fix the calculation of minOut so it will be in units of ETH, not stETH.