DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

No check if bridge already exists

talfao

Summary

In the current createBridge function of the OwnerFacet.sol contract, a critical check to verify if the bridge already exists is missing. This omission can potentially result in double accounting in the yield generation process.

Vulnerability Details

In the rest of the OwnerFacet.sol contract functionality, there are checks in place to prevent the recreation of Vaults or Markets. However, this essential check is absent in the createBridge() function. The absence of this check can lead to the unintended creation of duplicate bridges, resulting in double accounting of yield if multiple vaults utilize the same bridge more than once. You can find the missing check in the code here: Link to code.

The potential for double accounting of yield is evident in the following code block:

function getZethTotal(uint256 vault) internal view returns (uint256 zethTotal) {

AppStorage storage s = appStorage();

address[] storage bridges = s.vaultBridges[vault];

uint256 bridgeCount = bridges.length;

for (uint256 i; i < bridgeCount;) {

zethTotal += IBridge(bridges[i]).getZethValue();

unchecked {

++i;

}

Proof of Concept

To demonstrate this behavior, a simple Proof of Concept (PoC) was created. (The test was placed in the Yield.t.sol file.)

function test_double_bridge_push() public {

vm.prank(owner);

diamond.createBridge(_bridgeReth, Vault.CARBON, 0, 0);

diamond.getUndistributedYield(Vault.CARBON);

assert(diamond.getUndistributedYield(Vault.CARBON) > 0); // As no yield was generated, this should not be true, but in current situation, it is a proof of double accounting.

}

Impact

In specific circumstances, if a DAO proposal is confirmed, it could inadvertently trigger the creation of a bridge with the same address for a vault that already uses it. This scenario can lead to double accounting of yield and, as a consequence, potentially expose the protocol to vulnerabilities such as Denial of Service and yield theft.

However, it's important to note that the likelihood of this issue occurring is relatively low, and the function is governed by the DAO. After discussing this with the sponsor, we have classified this finding as low severity.

Tools Used

Manual review.

Recommendations

To address this vulnerability, it is recommended to add the following mitigation to the createBridge function:

...

+ for (uint i = 0; i < s.vaultBridges[vault].length; i++) {

+ if (s.vaultBridges[vault][i] == bridge) {

+ revert Errors.BridgeAlreadyExist();

+ }

This change will prevent the inadvertent creation of duplicate bridges and mitigate the risk of double accounting of yield.

Updates

Lead Judging Commences

0xnevi Lead Judge

over 1 year ago

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-360

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.