Platform: Code4rena
Start Date: 30/04/2024
Pot Size: $112,500 USDC
Total HM: 22
Participants: 122
Period: 8 days
Judge: alcueca
Total Solo HM: 1
Id: 372
League: ETH
Rank: 83/122
Findings: 1
Award: $1.48
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: t0x1c
Also found by: 0xCiphky, 0xDemon, Bauchibred, DanielArmstrong, FastChecker, MSaptarshi, Maroutis, NentoR, Ocean_Sky, PNS, Rhaydden, SBSecurity, Shaheen, Tigerfrake, ZanyBonzy, atoko, btk, carlitox477, crypticdefense, honey-k12, hunter_w3b, ilchovski, jokr, ladboy233, rbserver, twcctop, umarkhatab_465
1.479 USDC - $1.48
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts%2FRestakeManager.sol#L491-L576
Missing slippage protection on deposit() and depositETH() functions in RestakeManager contract will leave users vulnerable to sandwich attacks by MEV bots, causing loss of funds to the user on minting.
These two functions allow user to deposit ERC20 or ETH collateral respectively into the protocol and mint ezETH in return.
function deposit(IERC20 _collateralToken, uint256 _amount) external { // Transfer collateral token to this contract _collateralToken.safeTransferFrom(msg.sender, address(this), _amount); // Calculate ezETH to mint based on the value of the deposit uint256 ezETHToMint = renzoOracle.calculateMintAmount( totalTVL, collateralTokenValue, ezETH.totalSupply() ); // Mint ezETH to the depositor ezETH.mint(msg.sender, ezETHToMint); }
function depositETH() external payable { // Calculate ezETH to mint based on the value of the ETH deposit uint256 ezETHToMint = renzoOracle.calculateMintAmount( totalTVL, msg.value, ezETH.totalSupply() ); // Mint ezETH to the depositor ezETH.mint(msg.sender, ezETHToMint); }
This functionality is same as a swap where users deposit foreign tokens for protocol's native tokens. Not setting a minAmountOut in functions like deposit() or depositETH() can result in losses for users due to slippage or unfavorable changes in the exchange rate between the time of transaction initiation and execution.
Scenario
100 tokens into the protocol, expecting to receive 50 ezETH based on the current exchange rate.minAmountOut, if the exchange rate changes unfavorably during the transaction, the user might end up receiving only 40 ezETH for the same 100 tokens.20% loss compared to the expected amount due to the absence of a safeguard against slippage.In contrast, if a minAmountOut of 45 ezETH was set, the transaction would fail instead of executing with a lower amount, protecting the user from receiving less than the minimum expected amount of ezETH.
Manual Review.
It is recommended to implement slippage protection by requiring users to provide an minAmountOut parameter when calling these functions.
This parameter ensures that the transaction is executed only if the resulting amount meets the user's specified minimum threshold, protecting them from potential losses due to price manipulation.
Allow a user to provide
minAmountOutparameter indeposit()anddepositETH()functions.
Other
#0 - c4-judge
2024-05-17T13:28:49Z
alcueca marked the issue as satisfactory