DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

there's a missing unstaking strategy for "STETH."

mahdirostami

Summary

The current and only unstaking strategy for "STETH" involves transfering ERC721, as depicted in the provided Solidity code.

function unstake(address to, uint256 amount) external onlyDiamond {
uint256[] memory amountArray = new uint256[](1);
amountArray[0] = amount;
uint256 requestId = unsteth.requestWithdrawals(amountArray, address(this))[0];
unsteth.safeTransferFrom(address(this), to, requestId);
}

However, there's a issue here. If the msg.sender doesn't handel ERC721 the function will revert. This creates an issue for Contracts who intend to deposit ETH following the unstaking process. If they couldn' handle ERC721, They find themselves in a situation where they cannot perform the burn operation, forcing them to withdrawing STETH instead of ETH.

Vulnerability Details

Impact

  • If you're operating as a contract and your functionality is dependent on receiving ETH, this situation can be problematic. Contracts might not be programmed to execute a "withdraw" or handle STETH. They may not be equipped to handle the process of swapping STETH for ETH on an exchange. All of these are a loss of funds for the user. and if they can "withdraw" and swap STETH, this incurs gas costs and potential slippage.

Tools Used

manual review

Recommendations

add more strategy for unstakeing STETH (add swapping on exchange)

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other
mahdirostami Submitter
almost 2 years ago
0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.