Platform: Code4rena
Start Date: 24/03/2023
Pot Size: $49,200 USDC
Total HM: 20
Participants: 246
Period: 6 days
Judge: Picodes
Total Solo HM: 1
Id: 226
League: ETH
Rank: 221/246
Findings: 1
Award: $4.54
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMirce, 0xRajkumar, 0xepley, BPZ, Bahurum, Bauer, Co0nan, Emmanuel, Franfran, HollaDieWaldfee, IgorZuk, MiloTruck, NoamYakov, RedTiger, Ruhum, T1MOH, Tricko, ad3sh_, auditor0517, bin2chen, carrotsmuggler, eyexploit, handsomegiraffe, igingu, jasonxiale, koxuan, lukris02, monrel, nadin, peanuts, rbserver, rvierdiiev, shaka, sinarette, tnevler, y1cunhui
4.5426 USDC - $4.54
As the comment of this function says, the expected behaviour of this function is to return the WstETH price in terms of ETH. However, it returns the WstETH price in terms of stETH instead. This will cause the price inconsistent with the actual price as expected.
At the time I was writing this issue, the stETH/ETH price in curve/uniswap is 1.001, not actually the same. And there is some time that stETH price depegged a lot, for example around 5% during the 3AC liquidation period. So the assumption that stETH price == ETH price is not true.
Manual Review
consider get this price from the curve pool.
#0 - c4-pre-sort
2023-04-03T11:06:11Z
0xSorryNotSorry marked the issue as low quality report
#1 - c4-pre-sort
2023-04-04T17:16:58Z
0xSorryNotSorry marked the issue as duplicate of #588
#2 - c4-judge
2023-04-21T17:11:05Z
Picodes marked the issue as satisfactory
#3 - c4-judge
2023-04-23T11:07:04Z
Picodes changed the severity to 3 (High Risk)