Mitigation of M-05: Issue not mitigated, mitigation errors

mediumCode4rena

MITIGATION IS NOT CONFIRMED

MITIGATION IS NOT CONFIRMED

Link to Issue: https://github.com/code-423n4/2023-03-asymmetry-findings/issues/812

Comments

The issue describes missing checks associated with staking requirements for the WstEth and Reth derivative. The proposed mitigation is to introduce a disable mechanism so that derivatives can be eventually disabled and skipped. This change is too restrictive, fails to correctly address all different described scenarios and can potentially introduce other issues.

Technical Details

There are some requirements that don't justify disabling the derivative in a global or permanent manner. For example, the issue mentions a daily staking limit for stETH which can be correctly mitigated by just shutting down the derivative.

Here is an itemized summary of the issues in this mitigation:

• Reth derivative is mitigated in another changeset as the stake operation now goes through RocketSwapRouter.
• The WstETH staking still suffers from the issues described in the original report, as disabling the whole derivative is not a proper solution to address a daily staking limit.
• The staking pause in Lido is also problematic, as disabling the derivative will not only disable deposits but also withdrawals, causing locked funds (this new issue is expanded in detail in report [adriro-NEW-M-01]).
• frxETH also has staking requirement. These are described in issue #763 (https://github.com/code-423n4/2023-03-asymmetry-findings/issues/763), which is a duplicate of the principal issue. Staking in FRAX can be eventually paused, which causes the same issue described in the previous item.
• Associated new issues of disabling derivatives are described in the report [adriro-NEW-M-01].

Recommendation

In the case of stETH, if the limit is reached, a potential solution would be to swap the assets using a pool. For the pause issues in stETH and frxETH, see report [adriro-NEW-M-01].