Skip to content

Latest commit

 

History

History
51 lines (41 loc) · 3.03 KB

069.md

File metadata and controls

51 lines (41 loc) · 3.03 KB

Powerful Honeysuckle Anteater

High

Cross-chain wrsETH amount is wrapped before the treasury have received it, which could revert the whole transaction

Summary

When performing a dCDS withdrawal, if the user has opted in for liquidations, there are cases where we need to retrieve collateral (ETH/rsETH or other) from another chain. However, the protocol attempts to wrap the wrsETH before it has been received, causing the transaction to revert.

Root Cause

In the case of liquidation opt-in for a dCDS depositor, we may need to retrieve ETH from another chain. This situation occurs when liquidations happen on a different chain, and the collateral retrieved from them is stored there.

In CDSLib.sol, the liquidation calculation logic is implemented here - CDSLib.sol#L624-L777.

The issue arises because the protocol attempts to wrap the funds in the treasury before they have been received, leading to a transaction revert.

                    interfaces.globalVariables.oftOrCollateralReceiveFromOtherChains{value: msg.value - params.fee}(
                        IGlobalVariables.FunctionToDo(
                            // Call getLzFunctionToDo in cds library to get, which action needs to do in dst chain
                            getLzFunctionToDo(params.optionsFeesToGetFromOtherChain, collateralToGetFromOtherChain)
                        ),
                        IGlobalVariables.USDaOftTransferData(
                            address(interfaces.treasury), params.optionsFeesToGetFromOtherChain
                        ),
                        IGlobalVariables.CollateralTokenTransferData(
                         address(interfaces.treasury)
                            ethAmountFromOtherChain,
                            weETHAmountFromOtherChain,
                            rsETHAmountFromOtherChain
                        ),
                        IGlobalVariables.CallingFunction.CDS_WITHDRAW,
                        msg.sender
                    );
                    if (rsETHAmountFromOtherChain > 0) {
                        //@audit-issue this is incorrect. Its not yet received, and we wrap it here?
@>>                    interfaces.treasury.wrapRsETH(rsETHAmountFromOtherChain);
                    }

LayerZero needs technical time to process the transaction, send it to the other chain, and wait for the other chain to respond and send the requesting chain the collateral.

Internal Preconditions

Liquidations for rsETH have occurred on the other chain, and there are not enough rsETH resources on the current chain to cover the share of rsETH owed to the dCDS user depositor.

Attack Path

A normal dCDS depositor attempts to withdraw their position, which is opted-in for liquidations.

Impact

The transaction reverts, resulting in the inability to withdraw funds from the dCDS.

Mitigation

Avoid wrapping the rsETH before receiving it.