Asymmetry contest - UniversalCrypto's results

Lines of code

https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/SafEth.sol#L91 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L156 https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L173-L183

Vulnerability details

Impact

When a user stakes a portion of their msg.value can be used to call deposit in Reth.sol. If the Reth pool has no space for the users deposit then the users ETH is converted to WETH, then swapped for RETH. The issue is the minOut argument in the following function:

uint256 amountSwapped = swapExactInputSingleHop(
                W_ETH_ADDRESS,
                rethAddress(),
                500,
                msg.value,
                minOut
            );

This specifies the minimum RETH that will be received. However minOut is not calculated accurately which may result in minOut == 0. This allows a case where a user deposits ETH to Reth.sol however because the pool is full it attemps to convert to WETH, execute a swap and receive 0 RETH in return.

Proof of Concept

uint256 minOut = ((((rethPerEth * msg.value) / 10 ** 18) *
                ((10 ** 18 - maxSlippage))) / 10 ** 18);

To simplify this calculation the LHS can be written as

((rethPerEth * msg.value) / 10 ** 18) / 10 ** 18

RHS

(10 ** 18 - slippage) / 10 ** 18

As you can see the RHS 10**18 numerator and denominator will cancel out leaving -slippage. So regardless what the LHS is, the RHS will be 0 as the numerator will always be smaller than the denominator if slippage > 0. This means minOut will always be 0.

Tools Used

Manual

Recommended Mitigation Steps

Reformat the calculation for minOut to prevent it from rounding to zero, preferably handling all multiplication before division.