Omniscia Euler Finance Audit
LidoOracle Manual Review Findings
LidoOracle Manual Review Findings
LOE-01M: Potentially Stale Calculation of Exchange Rate (Asynchronous Rewards / Penalties)
| Type | Severity | Location |
|---|---|---|
| External Call Validation |  | LidoOracle.sol:L33, L35 |
Description:
The stETH contract implementation exposes utility functions for calculating the on-chain conversion of two assets rather than the exchange rate that is influenced by the "true" value of the asset. In practical terms, the IStEth::getSharesByPooledEth and IStEth::getPooledEthByShares functions do not reflect future profits already captured that the Lido contracts will reflect via processing of the latest Lido oracle consensus.
Per the Lido documentation, the balances of the Lido system are updated at a 24-hour interval providing adequate time for a user to be knowledgeable of the shift in the exchange rate and to capitalize on it.
Impact:
The LidoOracle::_getQuote function will consistently undervalue the wstETH asset in relation to the stETH asset due to not accounting for earned but not yet reflected rewards of the Beacon Chain node operators that are affiliated with Lido. Additionally, the same function may overvalue the wstETH asset in relation to the stETH asset if losses incurred by Lido have not yet been reflected on-chain.
Example:
25/// @notice Get a quote by querying the exchange rate from the stEth contract.26/// @dev Calls `getSharesByPooledEth` for stEth/wstEth and `getPooledEthByShares` for wstEth/stEth.27/// @param inAmount The amount of `base` to convert.28/// @param base The token that is being priced. Either `stEth` or `wstEth`.29/// @param quote The token that is the unit of account. Either `wstEth` or `stEth`.30/// @return The converted amount.31function _getQuote(uint256 inAmount, address base, address quote) internal view override returns (uint256) {32 if (base == stEth && quote == wstEth) {33 return IStEth(stEth).getSharesByPooledEth(inAmount);34 } else if (base == wstEth && quote == stEth) {35 return IStEth(stEth).getPooledEthByShares(inAmount);36 }37 revert Errors.PriceOracle_NotSupported(base, quote);38}Recommendation:
The Lido ecosystem contains an AccountingOracle deployment that can be integrated to calculate the last time a consensus was processed as well as whether a consensus is presently pending.
These attributes can be utilized to prevent an exchange rate from being considered as valid if the time since the last processed consensus exceeds 24 hours, or if a consensus is pending processing imminently.
Alleviation:
The Euler Finance team evaluated this exhibit and while they agree with the overall assessment provided, they disputed the exhibit's severity as they consider it informational.
Specifically, the discrepancy between the rate utilized by the stETH contract and the actual rate that the overall accounting system of the Lido project reflects is miniscule as evidenced by extensive use of the exchange rate as-is in multiple high-TVL markets.
After a re-assessment of the exhibit's impact coupled with the fact that the exhibit pertains to an exchange rate between internal assets of the Lido ecosystem, we concur with the Euler Finance team's view in relation to the exhibit's severity and consider it safely acknowledged.