[Lines of code](https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L240) # Vulnerability details ## Impact Using a flashloan to manipulate rETH/ETH price a hacker can receive more SafEth shares for the same amount of ether, thus draining all three derivative contracts (rETH, SfrxEth and WstEth). ## Proof of Concept Reth.poolPrice() depends on UniswapV3 pool.slot0() which can be manipulated via flash loan: (uint160 sqrtPriceX96, , , , , , ) = pool.slot0(); Reth.poolPrice() is used in Reth.ethPerDerivative() in case if the new Rocket Pool balance exceeds a certain limit which is determined via poolCanDeposit() function: function ethPerDerivative(uint256 _amount) public view returns (uint256) { if (poolCanDeposit(_amount)) return RocketTokenRETHInterface(rethAddress()).getEthValue(10 ** 18); else return (poolPrice() * 10 ** 18) / (10 ** 18); } The poolCanDeposit() function checks if the current balance plus the user deposit is inside the Rocket Pool constraints: return rocketDepositPool.getBalance() + _amount <= rocketDAOProtocolSettingsDeposit.getMaximumDepositPoolSize() && _amount >= rocketDAOProtocolSettingsDeposit.getMinimumDeposit(); On the block number 16934718 on the Ethereum Mainnet the getMaximumDepositPoolSize() function returns a raw value 5000000000000000000000 which is equal to **5000 ETH**. The function getMinimumDeposit returns a raw value 10000000000000000 which is equal to 0.01 ETH. Note that on block number 16934718 on the Ethereum Mainnet the Rocket Pool is already at its limit and poolCanDeposit(amount) returns false for any positive amount. Also note that even if it wasn't at its limit a hacker would still be able to push it to the limit by taking flashloan and depositing a large value of rETH to Rocket Pool directly. The REth derivative contract uses Uniswap V3 to determine the price and do swaps: IUniswapV3Pool pool = IUniswapV3Pool( factory.getPool(rocketTokenRETHAddress, W_ETH_ADDRESS, 500) ); This is the rETH/ETH pool at As of block 16934718 that pool TVL is ~1630.0 rETH and ~1300 ETH. The price of rETH can be push down by 90% by taking a flash loan of 1500 rETH from balancer.fi. Let's consider a scenario in which a hacker takes a flash loan from balancer.fi and drops price by 90% in UniswapV3 pool that Reth derivative contract uses to determine its price. Let's walk step by step on what happens when they call stake() function with 100 ETH: First requirements are passed (msg.value == 100 ether): function stake() external payable { require(pauseStaking == false, "staking is paused"); require(msg.value >= minAmount, "amount too low"); require(msg.value <= maxAmount, "amount too high"); For simplicity's sake let's imagine that SafEth derivative weights are WstEth 25%, SfrxEth 25% and rETH 50%, and that the contract derivative pools have 500 WstEth + 500 SftxEth + 1000 rETH, and the SafEth.totalSupply is 2000 ether. Note that since the Reth derivative pool price was dropped by 90% by the hacker, the underlyingValue is caulculated as 500 + 500 + 100 == 1100 ether: uint256 underlyingValue = 0; // Getting underlying value in terms of ETH for each derivative for (uint i = 0; i < derivativeCount; i++) underlyingValue += (derivatives[i].ethPerDerivative(derivatives[i].balance()) * derivatives[i].balance()) / 10 ** 18; The totalSupply at this point is the total ETH that was previously staked, that is 2000 ether. Thus, the preDepositPrice would be equal to 1e18 * 1100e18 / 2000e18 == 0.55e18: uint256 totalSupply = totalSupply(); uint256 preDepositPrice; // Price of safETH in regards to ETH if (totalSupply == 0) preDepositPrice = 10 ** 18; // initializes with a price of 1 else preDepositPrice = (10 ** 18 * underlyingValue) / totalSupply; Let's take a closer look on how the hacker's totalStakeValueEth is calculated: uint256 totalStakeValueEth = 0; // total amount of derivatives worth of ETH in system for (uint i = 0; i < derivativeCount; i++) { uint256 weight = weights[i]; IDerivative derivative = derivatives[i]; if (weight == 0) continue; uint256 ethAmount = (msg.value * weight) / totalWeight; // This is slightly less than ethAmount because slippage uint256 depositAmount = derivative.deposit{value: ethAmount}(); uint derivativeReceivedEthValue = (derivative.ethPerDerivative( depositAmount ) * depositAmount) / 10 ** 18; totalStakeValueEth += derivativeReceivedEthValue; } First, it adds 25% SfrxEth and 25% WstEth. Let's consider their price is 1:1 and that totalStakeValueEth after adding them is equal to 50 ether. In case of rETH, the derivative.deposit{value: ethAmount}() swaps 50 ETH for rETH in UniswapV3 pool. Since the price was dropped by 90%, let's consider a scenario in which the pool returns about 50/0.1=500 rETH. The derivativeReceivedEthValue is still calculates as 50 ether though, because the resulting depositAmount (500 ether) is multipled by the price (0.1). Thus, the totalStakeValueEth would be calculated as 100 ether. But how much shares would hacker get? uint256 mintAmount = (totalStakeValueEth * 10 ** 18) / preDepositPrice; _mint(msg.sender, mintAmount); The mintAmount is calculated roughly as 100e18 * 1e18 / 0.55e18 which is roughly equal to 181 ether. Thus, we can consider a scenario where the hacker gets 181.0 SafEth shares. Now the hacker can return the Uniswap V3 pool to its normal price. Note that the price was already partially pushed up by the hacker's call to stake() which in turn swapped ETH for rETH in the pool. When the price returned to the norm, the hacker calls unstake(181 ether): The SafEth.totalSupply is equal to 2181 ether at this point, and there are 525 WstEth + 525 SfrxEth + 1500 rETH on the derivative contracts. The function withdraws 25% of the hacker's shares both from SfrxEth and WstEth, and 50% from Reth: for (uint256 i = 0; i < derivativeCount; i++) { // withdraw a percentage of each asset based on the amount of safETH uint256 derivativeAmount = (derivatives[i].balance() * _safEthAmount) / safEthTotalSupply; if (derivativeAmount == 0) continue; // if derivative empty ignore derivatives[i].withdraw(derivativeAmount); } _burn(msg.sender, _safEthAmount); The derivativeAmount for WstEth and SftxEth would be equal to 525 * 181 / 2181 which is about 43 ether. The derivativeAmount for rETH would be equal to 1500 * 181 / 2181 which is about 124 ether. Thus, the hacker receives total of 43 + 43 + 124 == 210 ether back. This is much more than the hacker originally distributed to the pools via stake() function (25 + 25 + 50). The full attack can be done in a single transaction. ## Tools Used x ## Recommended Mitigation Steps It is recommended to use TWAP price with long period. --- The text was updated successfully, but these errors were encountered: All reactions