DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Due to lack of subtraction of the `fee`, `s.vault[vault].zethTotal` would be misaccounted

0xmuxyz

Summary

Within the LibVault#removeZeth(), the fee would not be subtracted from the s.vault[vault].zethTotal.
This lead to misaccounting of the s.vault[vault].zethTotal.

Vulnerability Details

When a user withdraw their LST (stETH or rETH), the user call the BridgeRouterFacet#withdraw(). At that time, the user have to pay the withdrawal fee.

Within the BridgeRouterFacet#withdraw(), the LibVault#removeZeth() would be called with the fee like this:
https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/facets/BridgeRouterFacet.sol#L111

function withdraw(address bridge, uint88 zethAmount)

external

nonReentrant

onlyValidBridge(bridge)

{

if (zethAmount == 0) revert Errors.ParameterIsZero();

uint88 fee;

uint256 withdrawalFee = bridge.withdrawalFee();

uint256 vault;

if (bridge == rethBridge || bridge == stethBridge) {

vault = Vault.CARBON;

} else {

vault = s.bridge[bridge].vault;

}

if (withdrawalFee > 0) {

fee = zethAmount.mulU88(withdrawalFee);

zethAmount -= fee;

s.vaultUser[vault][address(this)].ethEscrowed += fee;

}

uint88 ethAmount = _ethConversion(vault, zethAmount);

vault.removeZeth(zethAmount, fee); ///<-------------------------- @audit

IBridge(bridge).withdraw(msg.sender, ethAmount);

Within the LibVault#removeZeth(),

amount + fee would be subtracted from the s.vaultUser[vault][msg.sender].ethEscrowed
amount would be subtracted from the s.vault[vault].zethTotal
https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/libraries/LibVault.sol#L28-L29

function removeZeth(uint256 vault, uint88 amount, uint88 fee) internal {

AppStorage storage s = appStorage();

s.vaultUser[vault][msg.sender].ethEscrowed -= (amount + fee); ///<----------------- @audit

s.vault[vault].zethTotal -= amount; ///<----------------- @audit

}

However, within the LibVault#removeZeth() above, the fee would not be subtracted from the s.vault[vault].zethTotal.
This lead to misaccounting of the s.vault[vault].zethTotal.

Impact

Due to lack of subtraction of the fee, s.vault[vault].zethTotal would be misaccounted.

Tools Used

Foundry

Recommendations

Within the LibVault#removeZeth(), consider subtracting amount + fee from the s.vault[vault].zethTotal like this:

function removeZeth(uint256 vault, uint88 amount, uint88 fee) internal {

AppStorage storage s = appStorage();

s.vaultUser[vault][msg.sender].ethEscrowed -= (amount + fee);

+ s.vault[vault].zethTotal -= amount + fee;

- s.vault[vault].zethTotal -= amount;

}

Updates

Lead Judging Commences

0xnevi Lead Judge

about 2 years ago

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.