Closed c4-bot-1 closed 3 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as sufficient quality report
Seems valid. Will let sponsor look into it.
ditto-eth (sponsor) disputed
the bridge pointer doesn't need to be set in this context because the pointer for bridgeReth is zero.
see Constants.sol
library VAULT {
// ONE is the default vault
uint256 internal constant ONE = 1;
// Bridges for Vault ONE
uint256 internal constant BRIDGE_RETH = 0;
}
additionally the initial premise of the issue is incorrect.
if (bridgePointer == VAULT.BRIDGE_RETH) {
VaultUser.bridgeCreditReth += amount;
} else {
VaultUser.bridgeCreditSteth += amount;
}
if the user specifies bridgeReth it will go the top if statement and not the else
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/libraries/LibBridgeRouter.sol#L30 https://github.com/code-423n4/2024-03-dittoeth/blob/91faf46078bb6fe8ce9f55bcb717e5d2d302d22e/contracts/facets/BridgeRouterFacet.sol#L157
Vulnerability details
Impact
When depositing via
BridgeRouterFacet::deposit
, the user needs to specify thebridge
and theamount
. The issue arises when the user specifies therethBridge
, but in_getVault()
, thebridgePointer
variable is left uninitialized, resulting inbridgePointer=0
:As a result,
bridgePointer
is set to zero, causing the amount to be credited tobridgeCreditSteth
instead ofbridgeCreditReth
inLibBridgeRouter#L30
.This discrepancy in accounting may lead to errors in tracking the deposited amount.
Tools used
Manual review
Proof of Concept
Recommended Mitigation Steps
To address this issue, ensure that the
bridgePointer
for therethBridge
is correctly specified in_getVault
:By adding this modification, the system will correctly credit the deposited amount to
bridgeCreditReth
, ensuring accurate accounting.Assessed type
Context