Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X12 - Bonds will not work with stETH #72

Closed
sherlock-admin4 opened this issue Jun 27, 2024 · 0 comments
Closed

X12 - Bonds will not work with stETH #72

sherlock-admin4 opened this issue Jun 27, 2024 · 0 comments
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity

Comments

@sherlock-admin4
Copy link
Contributor

sherlock-admin4 commented Jun 27, 2024
edited by sherlock-admin3
Loading

X12

Medium

Bonds will not work with stETH

Summary

stETH rebases will get stuck inside the bond contract.

Vulnerability Detail

stETH will be one of the three (or four, including ETH) whitelisted tokens.

Whitelisted tokens:
- ETH
- WETH - https://etherscan.io/token/0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
- STETH - https://etherscan.io/token/0xae7ab96520de3a18e5e111b5eaab095312d7fe84
- WSTETH - https://etherscan.io/token/0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0

Tokens are not kept in the Vault but are deposited into bonds. However, when stETH is deposited into bonds with DefaultBondModule::depost, the bond contracts won't account for rebasing tokens. Here is an example of a bond deposit/withdrawal:

https://etherscan.deth.net/address/0xB56dA788Aa93Ed50F50e0d38641519FfB3C3D1Eb

    function deposit(address recipient, uint256 amount) public nonReentrant returns (uint256) {
        uint256 balanceBefore = IERC20(asset).balanceOf(address(this));
        IERC20(asset).transferFrom(msg.sender, address(this), amount);
        amount = IERC20(asset).balanceOf(address(this)) - balanceBefore;

        if (amount == 0) {
            revert InsufficientDeposit();
        }

        if (totalSupply() + amount > limit) {
            revert ExceedsLimit();
        }

        _mint(recipient, amount);
        emit Deposit(msg.sender, recipient, amount);
        return amount;
    }

    function withdraw(address recipient, uint256 amount) external {
        if (amount == 0) {
            revert InsufficientWithdraw();
        }

        _burn(msg.sender, amount);
        IERC20(asset).safeTransfer(recipient, amount);
        emit Withdraw(msg.sender, recipient, amount);
    }

As shown, deposit and withdraw functions do not account for shares but simply mint/burn the deposited amount. This means that if an stETH rebase is triggered, the bond contract will not account for it, causing the rebase value to remain stuck inside the contract.

Impact

The Vault loses out on stETH rebases.

Code Snippet

    function withdraw(address recipient, uint256 amount) external {
        if (amount == 0) {
            revert InsufficientWithdraw();
        }

        _burn(msg.sender, amount);
        IERC20(asset).safeTransfer(recipient, amount);
        emit Withdraw(msg.sender, recipient, amount);
    }

Tool used

Manual Review

Recommendation

Use bond contracts that calculate assets based on the shares owned.
@sherlock-admin4 sherlock-admin4 changed the title Suave Felt Fly - [H-1] DepositWrapper::deposit function will revert because it will be off by 1-2 wei in the case of stETH deposits. Bonds will not work with stETH Jun 28, 2024
@sherlock-admin3 sherlock-admin3 added the Sponsor Disputed The sponsor disputed this issue's validity label Jun 30, 2024
@github-actions github-actions bot changed the title Bonds will not work with stETH Creamy Malachite Condor - Bonds will not work with stETH Jul 6, 2024
@github-actions github-actions bot closed this as completed Jul 6, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label Jul 6, 2024
@sherlock-admin3 sherlock-admin3 changed the title Creamy Malachite Condor - Bonds will not work with stETH X12 - Bonds will not work with stETH Jul 15, 2024
@sherlock-admin3 sherlock-admin3 added the Non-Reward This issue will not receive a payout label Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Excluded Excluded by the judge without consulting the protocol or the senior Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4