DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Missing minimum and maximum deposit checks for bridge contract interactions

falconhoof

Summary

Updated MIN check and new MAX check required in BridgeRouterFacet.sol::depositEth(), which calls depositEth() in both of the bridge contracts; BridgeReth.sol and BridgeSteth.sol. The staking protocols these bridge contracts interact with both implement deposit limits which should be aligned to.

Assumptions

Assumed that the DittoEth has merged functions from two of Lido.fi protocol's contracts into one mock contract given that the submit() function used in BridgeSteth.sol::depositEth() comes from Lido.sol contract and other functions come from StETH.sol. In recommendations I continue to use this assumption for simplicity.

Vulnerability Details

BridgeRouterFacet.sol

There is a minimum deposit check in BridgeRouterFacet.sol::depositEth() which is 0.0001 ether which is not high enough.

BridgeReth.sol

rocketDepositPool.sol::deposit() implements a minimum value of 0.01 ether defined at RocketDAOProtocolSettingsDeposit.sol#L18 and used at RocketDepositPool.sol#L94 (see links).
It further implements a dynamic maximum allowed value, depending on current conditions, and is checked in the code block at RocketDAOProtocolSettingsDeposit.sol#L107-L117 (linked). The checks in the code block are activated if msg.value is greater than 160 ether.

BridgeSteth.sol

No minimum allowed value.
The maximum allowed value in Lido.sol::submit() is dynamic, depending on considerations such as network conditions and protocol needs. The staking limit is checked in the code block at Lido.sol#L930-L936 (linked). The checks in the code block will be activated if isStakingLimitSet is true.

Impact

BridgeReth.sol

Any deposit below allowed minimum 0.01 ether or above current allowed maximum will cause the transaction to revert. This means the user's transaction will fail and user will lose the gas costs associated with that transaction and user will have bad user experience.

BridgeSteth.sol

Any deposit above current allowed maximum will cause the transaction to revert. This means the user's transaction will fail and user will lose the gas costs associated with that transaction and user will have bad user experience.

Tools Used

Manual Review

Recommendations

`Constants.sol`

Increase minimum deposit stored at Constants.MIN_DEPOSIT to 0.01 ether to match BridgeReth.sol

`BridgeReth.sol`

Update BridgeReth.sol::depositEth() to include:

A maximum check, using rocketDepositPool::getMaximumDepositAmount(), that msg.value does not breach current allowed maximum.

function depositEth() external payable onlyDiamond returns (uint256) {

IRocketDepositPool rocketDepositPool = IRocketDepositPool(

rocketStorage.getAddress(ROCKET_DEPOSIT_POOL_TYPEHASH)

);

// Maximum deposit check

>>> uint256 maxDepositAmount = rocketDepositPool.getMaximumDepositAmount();

>>> require(msg.value <= maxDepositAmount, "Deposit amount exceeds maximum threshold");

IRocketTokenRETH rocketETHToken = _getRethContract();

uint256 originalBalance = rocketETHToken.balanceOf(address(this));

rocketDepositPool.deposit{value: msg.value}();

uint256 netBalance = rocketETHToken.balanceOf(address(this)) -

originalBalance;

if (netBalance == 0) revert NetBalanceZero();

return rocketETHToken.getEthValue(netBalance);

}

`BridgeSteth.sol`

Update BridgeSteth.sol::depositEth() to include:

A maximum check, using Lido.sol::getCurrentStakeLimit() (linked), that msg.value does not breach current
allowed maximum.

function depositEth() external payable onlyDiamond returns (uint256) {

// Check the current stake limit

>>> uint256 currentStakeLimit = steth.getCurrentStakeLimit();

>>> require(msg.value <= currentStakeLimit, "Deposit exceeds current stake limit");

uint256 originalBalance = steth.balanceOf(address(this));

steth.submit{value: msg.value}(address(0));

uint256 netBalance = steth.balanceOf(address(this)) - originalBalance;

if (netBalance == 0) revert NetBalanceZero();

return netBalance;

}

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-298

finding-542

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-542

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.