Closed c4-bot-1 closed 2 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Readme: Issues related to front-running: can front-run someone's order, liquidation, the chainlink/uniswap oracle update.
hansfriese marked the issue as unsatisfactory: Out of scope
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibBridgeRouter.sol#L72-L76 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibBridgeRouter.sol#L102-L106
Vulnerability details
Impact
Attacker can DoS by reverting the user's withdrawal transaction.
Proof of Concept
When withdrawing dETH as a collateral token (stETH or rETH), if there are more than 100 wei credits of the token not being withdrawn (if stETH is withdrawn then rETH, if rETH is withdrawn then stETH) and less than 100 wei balance remains in the bridge, it is possible to use the credit of the other token.
If a user has another token credit and more than 100 wei balance remains in the bridge, the withdrawal request transaction is cancelled.
When the situation occurs where the credit of another token can be used, the user will set the withdrawal amount parameter thinking that they can use both credit. If an attacker frontrun withdrawal transaction and send or deposit more than 100 wei tokens to the bridge, the withdrawal transaction is reverted.
This is PoC. You can add it to BridgeRouter.t.sol and run.
Tools Used
Manual Review
Recommended Mitigation Steps
Instead of reverting the transaction with
revert Errors.MustUseExistingBridgeCredit();
, just only use withdrawal token credit. The user will pay more fees than originally intended, but the transaction will not be reverted.Or add the
withdraw
function parameter for decide whether to revert or pay more fee when the credit of another token cannot be used.Assessed type
DoS