Bridge design is liquidity imbalanced and can cause non ERC721 compatible smart contracts depositors to cannot withdraw
Summary
stETH::unstake call don't working for non ERC721 compatible smart contracts can cause a liquidity imbalance, which added to other bridge design decisions can worsen the situation unto an impossibility for non ERC721 compatible smart contracts user to pull out LSD funds.
Vulnerability Details
Currently in the BridgeRouter facet the user can call 4 functions: deposit, depositEth, withdraw and unstakeEth.
From a user perspective, deposit increments your zETH at the cost of your stETH, but via a transfer function, depositEth does so but via a submit to Lido.sol.
For getting your stETH back you can call withdraw, which via transfer returns your stETH at the cost of your zETH, but unstake does so via a withdraw of the WithdrawalQueueERC721.sol Lido contract, which returns you an NFT which represents your position at the withdrawing queue.
| deposit | depositEth | withdraw | unstakeEth | |
|---|---|---|---|---|
| LSD | -LSD | -LSD | +LSD | +LSD |
| Internal Accounting | +ZETH | +ZETH | -ZETH | -ZETH |
| Method used | ERC20 transfer | Protocol (stETH::submit) | ERC20 transfer | Protocol (stETH::requestwithdrawals) |
If you have zETH with your non ERC721 compatible smart contract, you won't be able to get your stETH back via unstakeEth
Because there's a greater liquidity and less friction in transfer-based withdrawing (no waiting for withdrawal queue and extra transaction to reedem your NFT), and there's more liquidity in depositing via depositEth, due to the fact the vast majority of user have ETH over stETH, which by the way, is an action that externalizes the illiquidity to the protocol as a whole, people will tend to use depositEth for depositing, and withdraw for getting their LSD back.
Even if the affected non ERC721 compatible smart contract users that can't withdraw their zETH for stETH, but swap their zETH for rETH it's very probable that because stETH deposits will be much bigger than RETH (stETH marketcap is x14 the rETH one), stETH withdrawing demand would outperform rETH deposits in facet contract.
Impact
At best case scenario non ERC721 compatible smart contracts only have a UX problem due to not being able to withdraw via unstakeEth, at worst, most of them aren't able to withdraw their LSD tokens or endure long waiting to do so.
Tools Used
Invariant tests and manual review.
Recommendations
Decrement unstakeEth bridge fees to compensate overall tradeoffs.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.