DittoETH

Summary

bridge address can be pushed twice which can break the system.

Vulnerability Details

OwnerFacet::CreateBridge

as we know the onlyDAO is an EOA so if the onlyDAO created two Bridges with the same bridge address, the bridge will be pushed twice in s.vaultBridges[vault].push(bridge) so it will be duplicated.

1- lets say owner entered the same bridge address address(0x12345) in createBridge so now the address(0x12345) pushed twice in s.vaultBridges[vault].push(bridge)

2- now the user wants to unstakeEth from that bridge address(0x12345) so he calls: BridgeRouterFacet::unstakeEth(bridge: address(0x12345), zethAmount: X).

3- in the unstakeEth it uses _ethConversion(vault, zethAmount) to calculate zethTotal

4- ethConversion calls LibVault.sol::getZethTotal to retrieve all bridges exists in vault X s.vaultBridges[vault] then it loops on all bridges using zethTotal += IBridge(bridges[i]).getZethValue()

5- in this case the duplicate bridge address(0x12345) will be counted twice so if bridge address(0x12345) has 10 eth it will be counted twice (10 + 10), so the zethTotal will be 20 eth instead of 10 eth.

6- so now zethTotalNew will be always greater than zethTotal if (zethTotalNew >= zethTotal)

Impact

zethTotalNew will be always greater than zethTotal if (zethTotalNew >= zethTotal), now: yield is always positive 1 zeth = 1 eth

Tools Used

Manual

Recommendations

add mapping to track if the bridge address of vault X is already exists in array s.vaultBridges[vault]