DittoETH

Ditto
DeFiFoundryOracle
55,000 USDC
View results
Submission Details
Severity: medium
Invalid

RPL owner could get infinite minting privileges

Summary

Depending liquid stacking derivative rETH can disrupt DittoETH protocol.
Protocol owner on Rocket Pool (rETH protocol), which is controlled through a multi-signature system, can modify the rocketDepositPool address. Such a change would grant infinite minting privileges to the new address.

Vulnerability Details

The rETH mint function is restricted and can only be called by the RocketDepositPool contract.
Source

function mint(uint256 _ethAmount, address _to) override external onlyLatestContract("rocketDepositPool", msg.sender) {
// Get rETH amount
uint256 rethAmount = getRethValue(_ethAmount);
// Check rETH amount
require(rethAmount > 0, "Invalid token mint amount");
// Update balance & supply
_mint(_to, rethAmount);
// Emit tokens minted event
emit TokensMinted(_to, rethAmount, _ethAmount, block.timestamp);
}

Impact

Total disruption of protocol, new address with infinite minting privileges would swap it's rETH for zETH, being able to adquire all the issued DittoAssets before RPL node operators reach for consensus to account for this increase in supply, which would take time.

Tools Used

Manual review, RPL documentation.

Recommendations

DittoETH governance should be able to stop rETH inflows for zETH before CR of the overall protocol goes below minimumCR, as it is done in the MarketShutdownFacet.
A potential solution involves caching the rETH supply for every rETH deposit each hour and checking that no significant increase has happened.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other
alra Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
alra Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.