DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: medium
Invalid

missing zero check

Summary

missing zero check

Vulnerability Details

"missing zero check" is found in the unstake function of the contract. This function burns a certain amount of rETH tokens and then sends the equivalent ETH value to a specified address. However, there is no check to ensure that the amount parameter is greater than zero. This means that a user could potentially call this function with an amount of zero, causing the function to burn zero rETH tokens and send zero ETH. This would not only waste gas but could also potentially cause unexpected behavior in other parts of the contract or system. It is recommended to add a requirement at the beginning of the function to ensure that amount is greater than zero.

Tools Used

Vs code
##Recommendation
To resolve this issue, you should add a check at the beginning of the unstake function to ensure that the amount parameter is greater than zero. This can be done using the require function in Solidity, which will revert the transaction if the condition is not met. Here is how you can implement this:

function unstake(address to, uint256 amount) external onlyDiamond {
require(amount > 0, "Amount must be greater than zero");
IRocketTokenRETH rocketETHToken = _getRethContract();
uint256 rethValue = rocketETHToken.getRethValue(amount);
uint256 originalBalance = address(this).balance;
rocketETHToken.burn(rethValue);
uint256 netBalance = address(this).balance - originalBalance;
if (netBalance == 0) revert NetBalanceZero();
(bool sent,) = to.call{value: netBalance}("");
assert(sent);
}

This will ensure that the function cannot be called with an amount of zero, preventing the potential waste of gas and any unexpected behavior that could arise from this.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: User input validation

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.