DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Withdrawals fail when selected bridge does not have enough LST

nonseodion

Summary

If a user wants to withdraw more zEth than the amount of LST currently in the bridge he selects, his transaction will be reverted.

Vulnerability Details

The withdraw function in BridgeRouterFacet allows a user to exchange his virtual zEth balance for an LST. If the bridge he selects has less LST than the amount he wants to withdraw, the bridge's balance won't be enough to satisfy the withdrawal request making the transaction to revert.
Here's a POC of someone depositing and being unable to withdraw.

function testLargeLSTWithdrawal() public {
deal(_steth, sender, 10000 ether);
deal(_reth, extra, 10000 ether);
uint88 deposit1 = 500 ether;
uint88 deposit2 = 1000 ether;
vm.startPrank(extra);
diamond.deposit(_bridgeReth, deposit1);
vm.startPrank(sender);
diamond.deposit(_bridgeSteth, deposit2);
vm.startPrank(extra);
diamond.withdraw(_bridgeSteth, deposit1);
vm.startPrank(sender);
assertEq(diamond.getVaultUserStruct(Vault.CARBON, sender).ethEscrowed, deposit2);
vm.expectRevert("ERC20: transfer amount exceeds balance");
diamond.withdraw(_bridgeSteth, deposit2); // unable to withdraw despite his virtual zEth balance
}

Impact

A user cannot make a single withdrawal to exchange all his zEth balance for an LST from the protocol. He has to make the withdrawal more than once, first from his desired bridge and then from other bridges. He may still need to exchange the other LST for the desired LST.

Tools Used

Vscode

Recommendations

If a bridge does not have enough LST for the withdrawal, the remaining LST can be sourced from LSTs on other bridges and sold for the desired LST on a DEX.

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-579

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.