DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing check of the input arguments `rocketStorageAddress` and `diamondAddr`

bube

Summary

Missing zero address validations and contract existence are detected in smart contracts BridgeReth.sol and BridgeSteth.sol.

Vulnerability Details

In BridgeReth.sol the input constructor parameters rocketStorageAddress and diamondAddr are not checked if they are zero addresses or invalid contract addresses. Also, in BridgeSteth.sol the input constructor parameter diamondAddr is not checked if it is zero address or invalid contract address.

Impact

If rocketStorageAddress in BridgeReth.sol is not a valid address or is set to the zero address (0x0), any calls to rocketStorage.getAddress() would likely fail, causing most of the contract's functions to revert.

If diamondAddr in contracts BridgeReth.sol and BridgeSteth.sol is not a valid address or is set to the zero address (0x0), the contracts would be unusable. This is because the onlyDiamond modifier is used to restrict access to certain functions (deposit, depositEth, withdraw, unstake) to the address stored in diamondAddr. If this is set to the zero address, no one would be able to call these functions, rendering the contract unusable.

Tools Used

Manual review, VS Code

Recommendations

Add require to validate the address parameters in constructors in BridgeReth.sol and BridgeSteth.sol contracts and add check to ensure that the provided addresses are valid smart contracts.

In BridgeReth.sol:

constructor(IRocketStorage rocketStorageAddress, address diamondAddr) {

require(rocketStorageAddress != IRocketStorage(address(0)), "rocketStorageAddress cannot be the zero address");

require(diamondAddr != address(0), "diamondAddr cannot be the zero address");

uint32 size;

assembly {

size := extcodesize(rocketStorageAddress)

}

require(size > 0, "rocketStorageAddress is not a valid contract address");

assembly {

size := extcodesize(diamondAddr)

}

require(size > 0, "diamondAddr is not a valid contract address");

rocketStorage = IRocketStorage(rocketStorageAddress);

diamond = diamondAddr;

RETH_TYPEHASH = keccak256(abi.encodePacked("contract.address", "rocketTokenRETH"));

ROCKET_DEPOSIT_POOL_TYPEHASH = keccak256(abi.encodePacked("contract.address", "rocketDepositPool"));

}

In BridgeSteth.sol:

constructor(ISTETH _steth, IUNSTETH _unsteth, address diamondAddr) {

steth = ISTETH(_steth);

unsteth = IUNSTETH(_unsteth);

require(diamondAddr != address(0), "diamondAddr cannot be the zero address");

uint32 size;

assembly {

size := extcodesize(diamondAddr)

}

require(size > 0, "diamondAddr is not a valid contract address");

diamond = diamondAddr;

steth.approve(

address(unsteth),

0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Zero address checks

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.