DittoETH

Summary

The depositZETH() and withdrawZETH() functions in the VaultFacet contract do not check the return values of the burnFrom() and mint() functions of the IERC20 contract. This could potentially lead to loss of funds if these functions fail for any reason.

Vulnerability Details

In the depositZETH() function, the IERC20(zeth).burnFrom(msg.sender, amount); line burns tokens from the user's account but does not check if the operation was successful. Similarly, in the withdrawZETH() function, the IERC20(zeth).mint(msg.sender, amount); line mints tokens to the user's account without checking if the operation was successful.

If these function calls fail for any reason, the contract will continue to execute as if nothing happened, which could lead to unexpected behavior and potential loss of funds.

Impact

If the burnFrom() or mint() functions fail, the contract's state could become inconsistent with the actual token balances of the users. This could lead to users losing their tokens without any record of the loss in the contract.

Tools Used

manual review

Recommendations

It's recommended to always check the return value of function calls to external contracts. This can be done using a require() statement. Here's how you could modify the depositZETH() and withdrawZETH() functions to check the result of the burnFrom() and mint() function calls:

function depositZETH(address zeth, uint88 amount) external nonReentrant {
// ...
require(IERC20(zeth).burnFrom(msg.sender, amount), "burnFrom failed");
// ...
}

function withdrawZETH(address zeth, uint88 amount) external nonReentrant {
// ...
require(IERC20(zeth).mint(msg.sender, amount), "mint failed");
// ...
}