Bald Cloud Pony
High
When redeeming reserve tokens from the pool with a collateral level of less than 1.2, the protocol uses a lesser value calculated according to the formula and market value of the token returned by the oracle.
The same is stated in the documentation, for example, this is an excerpt about the levETH redemption logic:
If the collateral level is less than 1.2, the redemption price of 1 levETH is the lesser of 20% * the quantity of wstETH in the vault * the oracle price of wstETH / the amount of levETH outstanding and the oracle levETH price on Aerodrome.
https://convexitylabs.notion.site/EXT-Financial-Mechanism-Overview-46ecc3b204c04e66a21957fbcf5f4c05
However, we can see that in the code the market price of bondETH is used even during levETH redemption. This leads to incorrectly defined results of the amount of reserve tokens to redeem and eventually may result in losses for users or protocol
In Pool.sol:443-451, https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Pool.sol#L443-L451 the redeem() function always retrieves marketRate of bondToken even in the case of tokenType == TokenType.LEVERAGE.
Later, marketRate is used in getRedeemAmount() function to determine the amount of reserve tokens to send to the user:
https://github.com/sherlock-audit/2024-12-plaza-finance/blob/main/plaza-evm/src/Pool.sol#L519-L521.
This effectively leads to wrong amount of tokens sent to the user. Precisely, a user redeeming levETH may receive tokens calculated as:
(depositAmountOfLevETH * marketRateOfBondETH) / ETHPrice
- Feed for retrieving the market price of bondETH is set
No response
No response
The protocol or users may incur losses depending on the difference between the marketRate of bondETH and marketRate of levETH.
No response
Retrieve and use the price of levETH token as marketRate in case of redeeming tokenType == TokenType.LEVERAGE.