DittoETH

Summary

The depositEth, withdraw, unstake, and _ethConversion functions in BridgeSteth.sol and BridgeRouterFacet.sol, as well as getZethValue in BridgeSteth.sol, treat zETH as 1:1 with stETH and ETH. But zETH is a basket of liquid ether staking tokens so its value won't necessarily be 1:1. For example, stETH itself represents ETH plus staking rewards so theoretically it should be worth more than ETH, but in June 2022 it depegged significantly from ETH (worth around 10% less). It is possible that zETH will also be available on third party decentralized exchanges which could mean that there will be an external price that probably won’t be 1:1 with ETH. If you don’t actively incentivize third party liquidity for zETH, you could have an outside source for buying it with thin liquidity which will mean inaccurate prices. Thin liquidity also makes it easier to manipulate prices. This can result in opportunities for MEV and arbitrage and could result in the protocol being undercollateralized compared to the true value of zETH.

Vulnerability Details

The depositEth, withdraw, and unstake functions all assume a 1:1 ratio between stETH and zETH or ETH and zETH (unless the total amount of zETH in the system has decreased due to something like slashing). This is due to the _ethConversion function, which does not actually convert from the true value of ETH to zETH (e.g., from an oracle) but instead assumes it is 1:1 except in cases where the total deposits decreased due to slashing. The getZethValue function in BridgeSteth.sol, which is used in _ethConversion also treats the balance of stETH as equal to the balance of zETH.

Impact

Validators can reorder transactions and front run deposits and withdrawals from the protocol. Also, there are pools on platforms like Curve where you can exchange from ETH to stETH...if stETH were worth more than ETH or vice versa in Curve pools, people could withdraw from Ditto at the 1:1 ratio and then sell on Curve for a profit, which could lead to Ditto's assets being drained. Or people could deposit stETH and then withdraw into rETH if that presented arbitrage opportunities. Also, treating zETH as if it is 1:1 to ETH when that might not be the value if it were swapped on other markets - new tokens like this are often not valued 1:1 because of the risk of the protocol issuing them - means that the protocol may not be as well-collateralized as the designer intends. Granted the minimum collateralization ratio is pretty high, and it is unlikely that zETH:ETH would be like 0.5:1 or anything extreme like that, but just treating zETH as equal to ETH does obscure the true collateralization of the protocol.

Tools Used

Manual review

Recommendations

You could create a pool on a third party market (probably Curve) and bootstrap liquidity so that there was an alternative place to measure the true exchange from zETH to ETH or zETH to stETH - you would probably have to incentivize people to deposit zETH there using Ditto tokens. Then you could use the exchange rate established on that market when converting between these various tokens. But that is admittedly a lot more coding and complication and extra Ditto token inflation.