DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

rETH unstake may revert if not enough ETH are available in the pool making the unstaking impossible

bitsurfer

Summary

rETH unstake may revert if not enough ETH are available in the pool making the unstaking impossible.

Vulnerability Details

The unstakeEth function of BridgeRouter especially for rETH, and assumed it can always burn rETH for ETH, but this is not always the case.

File: BridgeReth.sol

098: function unstake(address to, uint256 amount) external onlyDiamond {

099: IRocketTokenRETH rocketETHToken = _getRethContract();

100: uint256 rethValue = rocketETHToken.getRethValue(amount);

101: uint256 originalBalance = address(this).balance;

102: rocketETHToken.burn(rethValue);

103: uint256 netBalance = address(this).balance - originalBalance;

104: if (netBalance == 0) revert NetBalanceZero();

105: (bool sent,) = to.call{value: netBalance}("");

106: assert(sent);

107: }

User unstake scenario:

User tries to unstake their current position.
Assume calculated share of user position in Reth is greater than the available collateral present in the Rocket Pool protocol.
Call to unstake will revert because withdraw from Reth will fail.

According to rETH docs:

It's possible that if node operators have put all of the staking pool to work on the Beacon chain, then the liquidity pool won't have enough balance to cover your unstaking.

This means, any unstake in BridgeReth will be reverted, which blocks the unstaking.

Pointing to the similar issue (and its duplicates) in code4rena categorized as High issue:
https://github.com/code-423n4/2023-03-asymmetry-findings/issues/210

Impact

rETH unstake may revert if not enough ETH are available in the pool making the unstaking impossible.

Tools Used

Manual analysis

Recommendations

Add a check to swap Reth for ETH in uniswap if the burn function from the Reth contract fails.

Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-503

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.