Submission Details
Severity:
[L-4] Yield update will not happen at the 1k ETH threshold
Summary
Yield updates happen for a vault when the BRIDGE_YIELD_UPDATE_THRESHOLD is met for the vault after a large bridge deposit. The maybeUpdateYield function handles this logic for updates when that happens (1000 ETH to be exact).
Vulnerability Details
Threshold constant from:
FILE: 2023-09-ditto/contracts/libraries/Constants.sol
Line 17:
uint256 internal constant BRIDGE_YIELD_UPDATE_THRESHOLD = 1000 ether;
Line 18:
uint256 internal constant BRIDGE_YIELD_PERCENT_THRESHOLD = 0.01 ether; // 1%
FILE: 2023-09-ditto/contracts/facets/BridgeRouterFacet.sol
function maybeUpdateYield(uint256 vault, uint88 amount) private {
uint88 zethTotal = s.vault[vault].zethTotal;
if (
zethTotal > Constants.BRIDGE_YIELD_UPDATE_THRESHOLD
&& amount.div(zethTotal) > Constants.BRIDGE_YIELD_PERCENT_THRESHOLD
) { // @audit should be >= to account for when threshold is met
// Update yield for "large" bridge deposits
vault.updateYield();
}
}
Impact
In reality the yield update for the vault will not happen in the instances of 1000 ETH deposits unless the bridge deposit amount into the vault is > 1000 ETH and the percent is greater than 1%.
Tools Used
Manual review
Recommendations
Change the > operand in the maybeUpdateYield function to be >=.
Prize pool breakdown
Total prize
55,000 USDC
nSLOC
3,36516 USDC / LOC
50,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.