0xboriskataa - stEth deposits will result in a revert

[sherlock-admin2]

0xboriskataa

High

stEth deposits will result in a revert

Summary

The protocol assumes that the amount of tokens received is equal to the amount of tokens transferred.
This is not the case for the stETH token.

Vulnerability Detail

stETH is a special token when it comes to its transfer logic and it is known that the amount it transfers is 1-2 wei less than the amount specified in the transfer function. More can be read on the "1-2 wei corner case" issue here.
Mellow deals with this token in DepositWrapper: deposit():

    if (token == steth) {
        IERC20(steth).safeTransferFrom(sender, wrapper, amount);
        amount = _stethToWsteth(amount);

After transfering the token it calls _stethToWsteth() which will revert:

    function _stethToWsteth(uint256 amount) private returns (uint256) {
        IERC20(steth).safeIncreaseAllowance(wsteth, amount);
        IWSteth(wsteth).wrap(amount);
        return IERC20(wsteth).balanceOf(address(this));
    }

The reason for the revert is that an amount - 1 will be transfered and there won't be enough stETH in the contract to call wrap().

Impact

DOS for stETH deposits. This issue has also been considered high in previous contests.

Code Snippet

https://github.com/sherlock-audit/2024-06-mellow/blob/main/mellow-lrt/src/utils/DepositWrapper.sol#L55-L57

Tool used

Manual Review

Recommendation

The simplest way to mitigate this issue is to check how much has been transfered:

    if (token == steth) {
+      uint256 balanceBefore = IERC20(steth).balanceOf(address(this));
       IERC20(steth).safeTransferFrom(sender, wrapper, amount);
+      uint256 receivedAmount =  (IERC20(steth).balanceOf(address(this)) - balanceBefore);     
-      amount = _stethToWsteth(amount); 
+      amount = _stethToWsteth(receivedAmount); 

Duplicate of #299