DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

BridgeReth did not check if deposit is enabled in the pool

chainnue

Summary

Reth derivative did not check if deposit is enabled in the pool

Vulnerability Details

In the Rocket Pool's RocketDepositPool contract, there's an important check to make sure that a deposit can go through:

require(rocketDAOProtocolSettingsDeposit.getDepositEnabled(), "Deposits into Rocket Pool are currently disabled");

This means that if deposits are turned off in Rocket Pool, any attempt to deposit will be stopped.

However, in the DittoETH BridgeReth contract, this check is not in place. So, if deposits are disabled in Rocket Pool, someone could still try to deposit, but it would fail.

File: BridgeReth.sol

70: function depositEth() external payable onlyDiamond returns (uint256) {

71: IRocketDepositPool rocketDepositPool =

72: IRocketDepositPool(rocketStorage.getAddress(ROCKET_DEPOSIT_POOL_TYPEHASH));

73: IRocketTokenRETH rocketETHToken = _getRethContract();

74:

75: uint256 originalBalance = rocketETHToken.balanceOf(address(this));

76: @> rocketDepositPool.deposit{value: msg.value}();

77: uint256 netBalance = rocketETHToken.balanceOf(address(this)) - originalBalance;

78: if (netBalance == 0) revert NetBalanceZero();

79:

80: return rocketETHToken.getEthValue(netBalance);

81: }

Referrence:
https://code4rena.com/reports/2023-03-asymmetry#m-05-missing-derivative-limit-and-deposit-availability-checks-will-revert-the-whole-stake-function
https://github.com/code-423n4/2023-03-asymmetry-findings/issues/592
https://github.com/code-423n4/2023-03-asymmetry-findings/issues/458

Impact

Tools Used

Manual analysis

Recommendations

add check getDepositEnabled() to check the Rocket Pool’s deposit availability

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.