Protocol loses funds if BridgeReth logic is called by arbitrary address
Proof of Concept
Here, withdraw uses doesn't have access control nor accounting mechanism, this lets an attacker to drain funds
function withdraw(address to, uint256 amount) external onlyDiamond returns (uint256) {
IRocketTokenRETH rocketETHToken = _getRethContract();
// Calculate dETH equivalent value in rETH
uint256 rethValue = rocketETHToken.getRethValue(amount);
// Transfer rETH from this bridge contract
// @dev RETH uses OZ ERC-20, don't need to check success bool
rocketETHToken.transfer(to, rethValue);
return rethValue;
}
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/bridges/BridgeReth.sol#L82
Vulnerability details
Impact
Protocol loses funds if BridgeReth logic is called by arbitrary address
Proof of Concept
Here, withdraw uses doesn't have access control nor accounting mechanism, this lets an attacker to drain funds
Tools used
Manual
Recommended steps
fix access control
Assessed type
Access Control