Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infect3d - Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage #123

Closed
sherlock-admin3 opened this issue Jun 27, 2024 · 0 comments
Closed

infect3d - Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage #123

sherlock-admin3 opened this issue Jun 27, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jun 27, 2024
edited by WangSecurity
Loading

infect3d

Medium

Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage

Summary

Because stETH price fluctuate compared to WETH price, wstETH:ETH pricing based on solely wstETH:stETH exchange rate is innacurate.

Vulnerability Detail

https://dune.com/LidoAnalytical/Curve-ETHstETH
https://dune.com/queries/3852516/6479636

Because stETH is the result of staked ETH, depending on market and technical conditions, its demand can vary and its price fluctuate compared to ETH as shown by this Dune dashboard.

This means people can buy stETH on the market at discount (stETH:ETH <1), and deposit into the vault at the value of stETH:ETH ==1, the result is shares minted as if they deposited more stETH that they actually did.

If we look the stETH:ETH exchange rate at a higher timescale, we can see that there has been times where stETH was trading well bellow 1:1, giving users plenty of time to deposit into the protocol, and wait for price getting more healthy and request a withdraw.

Impact

User will be able to mint vault shares at discount during depeg events, and withdraw when market get healthier to make profit off other users who deposited during healthy periods.

Code Snippet

This is the oracle used for wstETH : https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/oracles/WStethRatiosAggregatorV3.sol#L9-L9

File: src/oracles/WStethRatiosAggregatorV3.sol
07: contract WStethRatiosAggregatorV3 is IAggregatorV3 {
08:     uint8 public constant decimals = 18;
09:     address public immutable wsteth;
10: 
11:     constructor(address wsteth_) {
12:         wsteth = wsteth_;
13:     }
14: 
15:     function getAnswer() public view returns (int256) {
16:⚠		return int256(IWSteth(wsteth).getStETHByWstETH(10 ** decimals));
17:     }
18: 
19:     function latestRoundData()
20:         public
21:         view
22:         override
23:         returns (uint80, int256, uint256, uint256, uint80)
24:     {
25:         return (0, getAnswer(), block.timestamp, block.timestamp, 0);
26:     }
27: }

Tool used

Manual review

Recommendation

Use the existing StETH:ETH Chainlink price feed to complete the pricing chain and get an accurate value of wstETH to ETH.

Duplicate of #266
@sherlock-admin2 sherlock-admin2 changed the title Energetic Slate Panther - Withdrawals cannot be processed or settled before their their deadline Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage Jun 28, 2024
@sherlock-admin3 sherlock-admin3 added the Sponsor Disputed The sponsor disputed this issue's validity label Jun 30, 2024
@github-actions github-actions bot changed the title Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage Teeny Holographic Bobcat - Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage Jul 6, 2024
@github-actions github-actions bot closed this as completed Jul 6, 2024
@github-actions github-actions bot added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 6, 2024
@sherlock-admin3 sherlock-admin3 changed the title Teeny Holographic Bobcat - Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage infect3d - Mellow assume 1 stETH == 1 WETH which open-up opportunities for arbitrage Jul 15, 2024
@sherlock-admin3 sherlock-admin3 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 15, 2024
@WangSecurity WangSecurity added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 30, 2024
@sherlock-admin4 sherlock-admin4 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WangSecurity @sherlock-admin3 @sherlock-admin4