Non-ideal rETH/WETH pool used pays unnecessary fees #673
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
high quality report
This report is of especially high quality
M-09
primary issue
Highest quality submission among a set of duplicates
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
c4-pre-sort
added
the
high quality report
|
0xSorryNotSorry marked the issue as high quality report |
|
0xSorryNotSorry marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
This was referenced Apr 4, 2023
|
elmutt marked the issue as sponsor confirmed |
c4-sponsor
added
the
sponsor confirmed
This was referenced Apr 11, 2023
|
Picodes marked the issue as selected for report |
c4-judge
added
the
selected for report
|
What is the issue here? This is nothing but an improvement proposal (QA). |
|
My reasoning was that it's not an improvement proposal but a bug ( sub-optimal of the AMM pool), hence it does qualify for Medium for "leak of value". I have to admit that I hesitated but I leaned towards Med because of the label "sponsor confirmed" suggesting that this finding provided value for the sponsor. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-03-asymmetry/blob/44b5cd94ebedc187a08884a7f685e950e987261c/contracts/SafEth/derivatives/Reth.sol#L101
Vulnerability details
Impact
rETH is acquired using the Uniswap rETH/WETH pool. This solution has higher fees and lower liquidity than alternatives, which results in more lost user value than other solutions.
The Uniswap rETH/WETH pool that is used in Reth.sol to make swaps has a liquidity of $5 million. In comparison, the Balancer rETH/WETH pool has a liquidity of $80 million. Even the Curve rETH/WETH pool has a liquidity of $8 million. The greater liquidity should normally offer lower slippage to users. In addition, the fees to swap with the Balancer pool are only 0.04% compared to Uniswap's 0.05%. Even the Curve pool offers a lower fee than Uniswap with just a 0.037% fee. This Dune Analytics dashboard shows that Balancer is where the majority of rETH swaps happen by volume.
One solution to finding the best swap path for rETH is to use RocketPool's RocketSwapRouter.sol contract
swapTo()function. When users visit the RocketPool frontend to swap ETH for rETH, this is the function that RocketPool calls for the user. RocketSwapRouter.sol automatically determines the best way to split the swap between Balancer and Uniswap pools.Proof of Concept
Pools that can be used for rETH/WETH swapping:
Line where Reth.sol swaps WETH for rETH with the Uniswap rETH/WETH pool.
Tools Used
Etherscan, Dune Analytics
Recommended Mitigation Steps
The best solution is to use the same flow as RocketPool's frontend UI and to call
swapTo()in RocketSwapRouter.sol. An alternative is to modify Reth.sol to use the Balancer rETH/ETH pool for swapping instead of Uniswap's rETH/WETH pool to better conserve user value by reducing swap fees and reducing slippage costs.The text was updated successfully, but these errors were encountered: