recursiveEth - Potential 1-2 Wei Loss in Token Transfers Due to Integer Division and Rounding

[sherlock-admin4]

recursiveEth

High

Potential 1-2 Wei Loss in Token Transfers Due to Integer Division and Rounding

Summary

The deposit function that allows users to deposit tokens into a vault. The function specifically handles Wsteth (wrapped staked Ether) and converts other tokens (stETH, WETH, ETH) to Wsteth if necessary. A potential vulnerability arises from the integer division and rounding down during token transfers, which may result in a 1-2 wei discrepancy. This discrepancy can become significant over time, especially as the stETH/share rate increases.

Vulnerability Detail

  if (token == steth) {
            IERC20(steth).safeTransferFrom(sender, wrapper, amount);
            amount = _stethToWsteth(amount);

This function is used to deposit stETH to vault, however it doesn't take into account that stETH is a special token when it comes to it's transfer logic, navigating to lido's official docs, where during transfers the amount that actually gets sent is actually a bit less than what has been specified in the transaction. More can be read on the "1-2 wei corner case" issue from lidofinance/core#442.

This would mean that protocol would then overvalue the amount of assets that get transferred in, which would make protocol over-evaluate the value of steth.

Impact

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/utils/DepositWrapper.sol#L55
Some Example:-
sherlock-audit/2024-05-sophon-judging#30
sherlock-audit/2024-05-sophon-judging#63

Tool used

Manual Review

Recommendation

To mitigate this vulnerability, consider using transferShares instead of direct balance transfers. or Apply the balance check

 if (token == steth) {
+        uint256 balanceBefore = IERC20(stETH).balanceOf(address(this));
            IERC20(steth).safeTransferFrom(sender, wrapper, amount);
+        uint256 receivedAmount =  (IERC20(stETH).balanceOf(address(this)) - balanceBefore);
        receivedAmount = _stethToWsteth(receivedAmount );

[recursiveEth]

Escalate
issue number is #163, the loss of 1-2 WEI is not a low/invalid issue, the same issue has been considered in past audits as well thank you

[sherlock-admin3]

Escalate
issue number is #163, the loss of 1-2 WEI is not a low/invalid issue, the same issue has been considered in past audits as well thank you

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

[z3s]

Same as #181

[WangSecurity]

I believe the report is incorrect. This issue doesn't lead to 1-2 wei loss and contracts believing they have more funds. The issue results in reverts and the function not being able to proceed since the balance is less than it's expected, leading to revert and DOS of deposit functionality.

Hence, I believe this report is not sufficient duplicate and the escalation will be rejected. I'll review the #299 issue, since it may have been judged incorrectly, but this report will be deduplicated either way.

[WangSecurity]

Result:
Invalid
Unique

[sherlock-admin4]

Escalations have been resolved successfully!

Escalation status:

• recursiveEth: rejected