DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

zETH minting is vulnerable to any attack or price fluctuation in stETH protocol.

836541

Summary

In BridgeRouterFacet.sol, both deposit and depositEth methods deposit the user's collateral via bridge, and the bridge returns a zETH amount which the BridgeRouterFacet.sol should credit to the user. However, while for rETH bridge the bridge uses a oracle to convert rETH to ETH to return a precise amount of zETH, the stETH bridge just returns the value of stETH the user deposited, assuming that stETH:ETH:zETH, which makes the protocol vulnerable to exploits and price fluctuations of stETH.

Vulnerability Details

In BridgeRouterFacet.sol, both deposit and depositETH has this line of code:

uint88 zethAmount = uint88(IBridge(bridge).deposit(msg.sender, amount));

It returns a value of zethAmount which uses should get based on how much he deposited.

When user deposits stETH, the method depositEth in BridgeSteth.sol is called:

function depositEth() external payable onlyDiamond returns (uint256) {

uint256 originalBalance = steth.balanceOf(address(this));

// @edv address(0) means no fee taken by the referring protocol

steth.submit{value: msg.value}(address(0));

uint256 netBalance = steth.balanceOf(address(this)) - originalBalance;

if (netBalance == 0) revert NetBalanceZero();

return netBalance;

}

The method above just retuns the netBalance, which is the value of stETH you deposited as the zETHAmount. This is flawed, because any attack or price fluctuation in stETH that decreases it's value will directly impact our bridge. For example, if stETH is 90% of ETH price, then users are getting zETH in our protocol with 10% discount.

Impact

Probability: Low.
Severity: High.
Impact: Medium.

The security of "minting" zETH via stETH deposits have a great dependancy in stETH price.

Tools Used

Manual Review

Recommendations

To avoid this, the stETH:ETH chainlink oracle should be used.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-579

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.