Lack of input validation whether or not a given amount of unstaking ETH would be more than the minimum amount of Lido and less than the maximum amount of Lido
Summary
According to the "Request" part in the documentation of the Lido, the minimal withdrawal amount is 100 wei and the maximum withdrawal amount is 1000 eth when a user send a withdrawal request to Lido.
However, within the BridgeSteth#unstake(), there is no input validation to check whether or not a given amount of unstaking would be more than the minimal withdrawal amount(100 wei) for a withdrawal request of Lido and less than the maximum withdrawal amount (1000 ETH) for a withdrawal request of Lido.
Therefore, if a user the BridgeSteth#unstake() via the BridgeRouterFacet#unstakeEth() with less than 100 wei or more than 1000 ether, the transaction will be reverted.
Vulnerability Details
When a user withdraw the amount of native ETH, the user call the BridgeRouterFacet#unstakeEth().
Within the BridgeRouterFacet#unstakeEth(), the BridgeSteth#unstake() would be called like this:
https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/facets/BridgeRouterFacet.sol#L138
Within the BridgeSteth#unstake(), stETH#requestWithdrawals() would be called like this:
https://github.com/Cyfrin/2023-09-ditto/blob/main/contracts/bridges/BridgeSteth.sol#L94
According to the "Request" part in the documentation of the Lido, the minimal withdrawal amount is 100 wei and the maximum withdrawal amount is 1000 eth when a user send a withdrawal request to Lido like this:
To request a withdrawal, one needs to approve the amount of
stETHorwstETHto this contract or sign the ERC-2612 Permit, and then call the appropriaterequestWithdrawals*method.The minimal amount for a request is
100 wei, and the maximum is1000 eth. More significant amounts should be split into several requests, which allows us to avoid clogging the queue with an extra large request.
However, within the BridgeSteth#unstake(), there is no input validation to check whether or not a given amount of unstaking would be more than the minimal withdrawal amount(100 wei) for a withdrawal request of Lido and less than the maximum withdrawal amount (1000 ETH) for a withdrawal request of Lido.
Therefore, if a user the BridgeSteth#unstake() via the BridgeRouterFacet#unstakeEth() with less than 100 wei or more than 1000 ether, the transaction will be reverted.
Impact
If a user the BridgeSteth#unstake() via the BridgeRouterFacet#unstakeEth() with less than 100 wei or more than 1000 ether, the transaction will be reverted.
Tools Used
Manual review
Recommendations
Within the BridgeSteth#unstake(), consider adding an input validation to check whether or not the amount assigned would be more than the minimal withdrawal amount(100 wei) for a withdrawal request of Lido and less than the maximum withdrawal amount (1000 ETH) for a withdrawal request of Lido like this:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.