Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scammed - ChainlinkOracle assumes 1:1 ratio for stETH/ETH #209

Closed
sherlock-admin2 opened this issue Jun 27, 2024 · 0 comments
Closed

scammed - ChainlinkOracle assumes 1:1 ratio for stETH/ETH #209

sherlock-admin2 opened this issue Jun 27, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin2
Copy link

sherlock-admin2 commented Jun 27, 2024
edited by WangSecurity
Loading

scammed

High

ChainlinkOracle assumes 1:1 ratio for stETH/ETH

Summary

ChainlinkOracle will use the wstETH/stETH exchange rate for pricing lpTokens, meaning it assumes a 1:1 ratio for stETH/ETH, which is not true most of the time (Ξ0.999900 at the time of writing).

Vulnerability Detail

The issue stems from the priceX96 implementations and the fact that there is no way to derive A/B token prices when there is no direct price feed:

    function priceX96(
        address vault,
        address token
    ) external view returns (uint256 priceX96_) {
    ...MORE CODE
        priceX96_ = FullMath.mulDiv(
            tokenPrice * 10 ** baseDecimals,//getAnswer
            Q96,
            baseTokenPrice * 10 ** decimals
        );
    }

Indeed the first Vault deployment will be only with wstETH as underlying token and in order to calculate its price in terms of ETH we should first derive the rate of wstETH/stETH - wsteth::getStETHByWstETH

  function getAnswer() public view returns (int256) {
      return int256(IWSteth(wsteth).getStETHByWstETH(10 ** decimals));
  }

Then stETH/ETH chainlink price feed should be used to multiply and then normalize the decimals. The exact same primer can be found in Lido’s github - https://github.com/lidofinance/wsteth-eth-price-feed/blob/main/contracts/AAVECompatWstETHToETHPriceFeed.sol#L39-L45
Issue with mellow is that wstETH price is calculated in terms of stETH only, and used like that, wrongly assuming stETH and ETH will trade at 1:1 ratio forever.

Impact

Arbitrage opportunities in Mellow due to miss-calculated wstETH price in terms of ETH.

Similar issues:

Code Snippet

https://github.com/mellow-finance/mellow-lrt/blob/dev-symbiotic-deploy/src/oracles/ChainlinkOracle.sol#L80-L99

https://github.com/mellow-finance/mellow-lrt/blob/ba168622a53e66c7655df5a6249760ecd9aa8f7d/src/oracles/WStethRatiosAggregatorV3.sol#L15-L17

Tool used

Manual Review

Recommendation

Chainlink oracle should be extended to support wstETH as performed in the Lido finance example.

Duplicate of #266
@sherlock-admin3 sherlock-admin3 changed the title Droll Ash Nuthatch - ChainlinkOracle unable to operate with feeds ≠ 18 decimals ChainlinkOracle assumes 1:1 ratio for stETH/ETH Jun 28, 2024
@sherlock-admin3 sherlock-admin3 added the Sponsor Disputed The sponsor disputed this issue's validity label Jun 30, 2024
@github-actions github-actions bot changed the title ChainlinkOracle assumes 1:1 ratio for stETH/ETH Droll Ash Nuthatch - ChainlinkOracle assumes 1:1 ratio for stETH/ETH Jul 6, 2024
@github-actions github-actions bot closed this as completed Jul 6, 2024
@github-actions github-actions bot added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 6, 2024
@sherlock-admin3 sherlock-admin3 changed the title Droll Ash Nuthatch - ChainlinkOracle assumes 1:1 ratio for stETH/ETH scammed - ChainlinkOracle assumes 1:1 ratio for stETH/ETH Jul 15, 2024
@sherlock-admin3 sherlock-admin3 added Non-Reward This issue will not receive a payout and removed Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 15, 2024
@WangSecurity WangSecurity added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jul 30, 2024
@sherlock-admin4 sherlock-admin4 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A valid Medium severity issue Reward A payout will be made for this issue Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4