Loss of capital of users who withdraw stETH. Their LST rewards will be miscalculated.
Vulnerability Details
The general questions section in the readme.md states that the ERC20s used by the protocol are ezETH, stETH, and wBETH.
However, stETH is a rebase token and the amount of stETH in a user/platform balance will not be constant – it changes daily as staking rewards arrive.
The current deposit/withdraw flow does not handle rebasing tokens at all.
In the case of wrapped tokens such as used here wBETH, although the exact amountToRedeem amount is calculated during the withdrawal request WithdrawQueue#L229 user will continue to earn part of rewards as their value is determined by price that increases over time.
Even though the user has to wait 7 days (according to the readme) for a claim, the same amountToRedeem of wBETH will be worth more after this 7 days.
In the case of stETH, rebase token the exact amountToRedeem will be calculated in the same way. However, rebase token value remains 1:1 and its value changes through balance updates, not increasing the price.
Here, after 7 days, this amountToRedeem will not be updated. Users who decide to withdraw stETH will always lose their accumulating rewards before they will be able to claim.
Impact
HIGH – Loss of capital of users who withdraw stETH. Their LST rewards will be miscalculated. Loss will constantly grow over time.
Recommendation
Consider the non-rebasing wrapped version of stETH instead (wstETH) or re-calculate amountToRedeem to adjust it’s balance.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
