Reth griefing
Closed this issue · 7 comments
Lines of code
Vulnerability details
Impact
The maximum slippage when buying rETH from the Uniswap V3 pool is calculated in Reth derivative contract by taking the current price in the Uniswap V3 pool at runtime, without taking into account the price at which the user sent the transaction to the mempool:
uint rethPerEth = (10 ** 36) / poolPrice();
uint256 minOut = ((((rethPerEth * msg.value) / 10 ** 18) *
((10 ** 18 - maxSlippage))) / 10 ** 18);
Thus, a malicious actor can create a sandwich of three transactions in which they first raise the price of rETH, then execute the user's stake() with a purchase of rETH at an unfavorable price, and then return the pool price to normal.
The victim will receive fewer shares than expected. Firstly, because the underlyingValue in the stake() function will increase due to the fact that Reth.poolPrice() will return an inflated value. Secondly, because Reth.deposit() will return a smaller amount of rETH when purchasing from the UniswapV3 pool.
Tools Used
x
Recommended Mitigation Steps
The slippage should be calculated and controlled by the user before submitting a stake() transaction to mempool. For example, minOut can be passed as an argument to the stake() function.
0xSorryNotSorry marked the issue as duplicate of #601
0xSorryNotSorry marked the issue as not a duplicate
Marking as invalid on behalf of the Lookout.
Reason: Dupe of same warden's issue #1125
toshiSat marked the issue as sponsor disputed
Picodes marked the issue as nullified
Picodes marked the issue as satisfactory
Picodes marked the issue as nullified