DittoETH

Ditto

DeFiFoundryOracle

55,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

wrongly assume stETH LST (and rETH) is pegged 1:1 to ETH open for depeg, arbitrage and may resulting a pool imbalance

chainnue

Summary

DittoETH wrongly assume stETH LST (and rETH) is pegged 1:1 to ETH open for depeg, arbitrage and may resulting a pool imbalance

Vulnerability Details

Assuming a fixed peg of 1 ETH being equivalent to 1 stETH (or rETH) is inaccurate. While both tokens aim to maintain this peg, it hasn't always been the case, as evidenced by historical data provided in this dashboard. Market volatility has led to episodes where the price of stETH notably deviated, such as in June when stETH traded at approximately 0.93 ETH.

File: BridgeRouterFacet.sol

46: function deposit(address bridge, uint88 amount)

47: external

48: nonReentrant

49: onlyValidBridge(bridge)

50: {

51: if (amount < Constants.MIN_DEPOSIT) revert Errors.UnderMinimumDeposit();

52: // @dev amount after deposit might be less, if bridge takes a fee

53: uint88 zethAmount = uint88(IBridge(bridge).deposit(msg.sender, amount)); // @dev(safe-cast)

54:

55: uint256 vault;

56: if (bridge == rethBridge || bridge == stethBridge) {

57: vault = Vault.CARBON;

58: } else {

59: vault = s.bridge[bridge].vault;

60: }

61:

62: vault.addZeth(zethAmount);

63: maybeUpdateYield(vault, zethAmount);

64: emit Events.Deposit(bridge, msg.sender, zethAmount);

65: }

File: BridgeSteth.sol

58: // Bring stETH to system and credit zETH to user

59: function deposit(address from, uint256 amount)

60: external

61: onlyDiamond

62: returns (uint256)

63: {

64: // Transfer stETH to this bridge contract

65: // @dev stETH uses OZ ERC-20, don't need to check success bool

66: steth.transferFrom(from, address(this), amount);

67: return amount;

68: }

the deposit function above on BridgeRouterFacet and BridgeSteth simply assume a conversion rate of 1 stETH = 1 zETH.

When an LST price in reality is different than ETH price (in USD), then it's open for potential depeg issue and potential losses for users. The assumption of a 1:1 conversion rate between stETH and zETH in the deposit functions of BridgeRouterFacet and BridgeSteth can be problematic.

If the conversion rate is not dynamically adjusted to reflect real-time market conditions, it leaves the system vulnerable to significant discrepancies between the pegged value and the actual market value of stETH. This, in turn, could lead to instances where users receive a different amount of zETH than expected

Impact

This situation opens up the potential for arbitrage in the LST pool due to the discrepancy between LST price and zETH. As a result, valid users may experience losses as a result of depegging.

Tools Used

Manual analysis

Recommendations

Consider to apply real-time data feeds or utilizing oracles to provide up-to-date pricing information.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-579

Prize pool breakdown

Total prize

55,000 USDC

nSLOC

3,365

16 USDC / LOC

High Medium

50,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.