DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

there is now withdraw mechanism for ETH in bridge contracts

ElHaj

Summary

The bridge contracts Reth and Steth lack a mechanism for withdrawing Ethereum (ETH), posing a risk of permanent loss for any ETH sent to these contracts. These contracts are used in conjunction with staking ETH protocols like RocketPool and Lido.

Vulnerability Details

The vulnerability arises due to the absence of a withdraw function or any method to retrieve ETH from the Reth and Steth bridge contracts. The contracts deals with staking eth protocols Rocket pool and Lido,and have a receive() function. but do not provide a means to access ETH stored within them. Since these contracts are not upgradeable and Separate from the diamond, any ETH in them get lost forever. also the stucked eth can't be staked to Benefit the system since the staking process depends on msg.value only :

// from Reth bridge :

function depositEth() external payable onlyDiamond returns (uint256) {

IRocketDepositPool rocketDepositPool =

IRocketDepositPool(rocketStorage.getAddress(ROCKET_DEPOSIT_POOL_TYPEHASH));

IRocketTokenRETH rocketETHToken = _getRethContract();

uint256 originalBalance = rocketETHToken.balanceOf(address(this));

rocketDepositPool.deposit{value: msg.value}();

uint256 netBalance = rocketETHToken.balanceOf(address(this)) - originalBalance;

if (netBalance == 0) revert NetBalanceZero();

return rocketETHToken.getEthValue(netBalance);

}

// from Steth bridge :

function depositEth() external payable onlyDiamond returns (uint256) {

uint256 originalBalance = steth.balanceOf(address(this));

// @edv address(0) means no fee taken by the referring protocol

steth.submit{value: msg.value}(address(0));

uint256 netBalance = steth.balanceOf(address(this)) - originalBalance;

if (netBalance == 0) revert NetBalanceZero();

return netBalance;

}

Impact

the native token eth in the bridge contracts BridgeReth BridgeSteth will be lost for ever.

Tools Used

Manual review

Recommendations

add a withdraw function that controlled by the DAO , or insure that the contract don't have any remaining eth in the deposit , and unstake process.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.