DittoETH

Summary

BridgeRouterFacet.deposit will not allow user to deposit when he provides enough funds for rocket bridge, as it doesn't count conversion rate.

Vulnerability Details

User can deposit to BridgeRouterFacet using deposit and depositEth functions. Both of them check that user has provided enough funds.

I see 2 problems here:
1.In case if user provides StEth or direct Eth, then provided amount will be in eth, so min deposit check checks eth in this case. But if user provides rocket eth, then amount is not converted to eth yet. So it's possible that user has provided enough funds(in term of eth), but less than min amount in term of rEth. In such cases, user should be allowed to deposit.
2.As this comment says, it's possible that some added bridge will take fee, which means that less amount of eth will be received. So it's possible that user will provide more than min deposit, but after bridging smaller amount will be escrowed. In this case deposit should not be allowed.

Impact

Min deposit restriction can be corrupted.

Tools Used

VsCode

Recommendations

I believe that if you will check min deposit after bridging, then it will fix both described problems. Just do the check after you have calculated zEth amount.