search

code-423n4 / 2024-03-dittoeth-findings

0 stars 0 forks source link

Anyone can call withdraw from BridgeReth leading to possible loss #234

Closed c4-bot-3 closed 4 months ago

c4-bot-3 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/bridges/BridgeReth.sol#L82

Vulnerability details

Impact

Protocol loses funds if BridgeReth logic is called by arbitrary address

Proof of Concept

Here, withdraw uses doesn't have access control nor accounting mechanism, this lets an attacker to drain funds


    function withdraw(address to, uint256 amount) external onlyDiamond returns (uint256) {
        IRocketTokenRETH rocketETHToken = _getRethContract();
        // Calculate dETH equivalent value in rETH
        uint256 rethValue = rocketETHToken.getRethValue(amount);
        // Transfer rETH from this bridge contract
        // @dev RETH uses OZ ERC-20, don't need to check success bool
        rocketETHToken.transfer(to, rethValue);
        return rethValue;
    }

Tools used

Manual

Recommended steps

fix access control

Assessed type

Access Control

c4-pre-sort commented 5 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as primary issue

raymondfam commented 5 months ago

Insufficient proof.

c4-judge commented 4 months ago

hansfriese marked the issue as unsatisfactory: Insufficient proof