DittoETH

Summary

Potential misscalculation of the netBalance in function unstake() in BridgeReth.sol contract.

Vulnerability Details

In the context of the function unstake(), originalBalance is the Ether balance of the contract before the burnoperation is performed on the rocketETHToken. The burn operation is expected to increase the contract's Ether balance. Therefore, originalBalance should be less than address(this).balance after the burn operation.

However, if for some reason the burn operation does not increase the contract's Ether balance (for example, if it fails or reverts), or if Ether is somehow removed from the contract in between the time originalBalance is set and the burn operation is performed, then originalBalance could be equal to or even greater than address(this).balance. This would cause the calculation of netBalance to underflow, resulting in a very large value due to the way Solidity handles underflows.

Impact

If for any reason, like receiving Ether through a selfdestruct from another contract or through a direct send or transfer, the contract's balance increases between the lines where originalBalance is set and where burn is called, netBalance will be larger than the actual amount of Ether received from the burn operation. This could lead to the contract sending more Ether than it should when making the call to the to address.

To fix this, you should recalculate the originalBalance immediately after the burn operation and/or add a check after the burn operation to ensure that the contract's balance has indeed increased.

Tools Used

Manual review, VS Code

Recommendations

Recalculate the originalBalance immediately after the burn operation and/or add a check after the burn operation to ensure that the contract's balance has indeed increased. This way, netBalance will accurately reflect the amount of Ether received from the burn operation.