DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Owner can be deceived to send funds to a malicious contract leading to re-entrancy.

saaj

Summary-medium

Owner can be deceived to send funds to a malicious contract leading to re-entrancy.

Vulnerability Details

Malicious contract can reenter the contract that will lead to access to transfer function and can manipulate project funds.

Impact

A user can create a malicious attack and sent Eth using the malicious contract for staking.
After sometime the malicious actor withdraw its Eth from the project which bound administrator to transfer the eth back to the malicious actor using transfer function in line 94.

84: function withdraw(address to, uint256 amount)
external
onlyDiamond
returns (uint256)
{
IRocketTokenRETH rocketETHToken = _getRethContract();
// Calculate zETH equivalent value in rETH
uint256 rethValue = rocketETHToken.getRethValue(amount);
// Transfer rETH from this bridge contract
// @dev RETH uses OZ ERC-20, don't need to check success bool
94: rocketETHToken.transfer(to, rethValue);
return rethValue;
}

The administrator can unknowingly interact with the malicious account while executing the transfer function as an external call to send rocketETHToken that can lead to possible re-entrancy attack.

Tools Used

Manual Code Review

Recommendations

Use nonreentrancy guard modifier that will prevent any re-entrancy into the withdraw function.
Add OpenZepplin nonReentrant modifier on withdraw() function at line 85 in BridgeReth.sol

Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.