DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

BridgeSteth contract does not handle a shares-on-transfer token when depositing the StEth token into this.

lowk

Summary

The StEth token is a rebaseable ERC-20 token and the BridgeStEth contract did tranfer the wrong methodology leading to this contract not receiving exactly the amount of token.

Vulnerability Details

The BridgeRouterFacet has a deposit() function that allows a client to transfer a StETH token into a BridgeSteth contract.

// BridgeRouterFacet contract

function deposit(address bridge, uint88 amount)

external

nonReentrant

onlyValidBridge(bridge)

{

if (amount < Constants.MIN_DEPOSIT) revert Errors.UnderMinimumDeposit();

// @dev amount after deposit might be less, if bridge takes a fee

uint88 zethAmount = uint88(IBridge(bridge).deposit(msg.sender, amount)); // @dev(safe-cast);

// ...

}

The BridgeSteth contract will transfer from a msg.sender by calls steth.tranferFrom

// BridgeSteth contract

function deposit(address from, uint256 amount)

external

onlyDiamond

returns (uint256)

{

// Transfer stETH to this bridge contract

// @dev stETH uses OZ ERC-20, don't need to check success bool

steth.transferFrom(from, address(this), amount);

return amount;

}

Following a document of Lido Finance that the StEth token is a rebaseable ERC-20 token (https://docs.lido.fi/guides/steth-integration-guide#what-is-steth)

The StEth of Lido Finance will re-calculate the amount of tokens that add shares while they are transferred.

Impact

So, the BridgeSteth uses the transferFrom function to transfer an amount of token which does not receive exactly the amount of token.

Tools Used

Manually

Recommendations

Implement support shares-on-transfer for the StEth token

// BridgeSteth.sol

function deposit(address from, uint256 amount)

external

onlyDiamond

returns (uint256)

{

uint256 _balanceBefore = steth.balanceOf(address(this));

steth.transferFrom(from, address(this), amount);

return steth.balanceOf(address(this)) - _balanceBefore;

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.