Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
Sidu28 marked the issue as sponsor disputed
"There appear to be two cases here -- either:
1) The second validator was withdrawn after mostRecentWithdrawalBlockNumber
, in which case the user can call verifyWithdrawalCredentialsAndBalance
for the validator and proceed through the normal withdrawal flow
2) The second validator was withdrawn before mostRecentWithdrawalBlockNumber
, in which case the ETH would have been credited to the EigenPod in the EigenPod and been withdrawn when withdrawBeforeRestaking
was called
Neither case appears to be an issue."
Agree with the Sponsor that this is not an issue, ultimately the hasRestaked
flag works as a one off, but the flow of funds is not blocked
Dowgrading to QA
GalloDaSballo changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L454-L457 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L114-L117
Vulnerability details
Impact
User can deposit beacon chain ETH trough the
EigenPodManager
and callstake
,EigenPod
created if user do not have one, thenstake
called insideEigenPod
that will trigger "ETH2 Deposit Contract" with passing the required eth and parameters including_podWithdrawalCredentials
. Suppose user successfully finished the Beacon Chain ETH deposit process by callingEigenPod.verifyWithdrawalCredentialsAndBalance
after the appropriate condition is fulfilled.The second time user go trough deposit beacon chain ETH with different validator in the same
EigenPod
, but this time not finishing it withEigenPod.verifyWithdrawalCredentialsAndBalance
and not yet make the new validator status active inside theEigenPod
, instead he want to withdraw it with triggering a full withdrawal from the Beacon Chain. The balance will be send toEigenPod
but user can't callwithdrawBeforeRestaking
and make the eth will stuck insideEigenPod
.Proof of Concept
Consider following scenario :
EigenPodManager.stake
.https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPodManager.sol#L112-L119
EigenPod
if don't have one, and will callpod.stake
with providing themsg.value
and the required parameters,EigenPod
'sstake
will check themsg.value
, and callethPOS.deposit
with also passing the required parameters, including the pod withdrawal credentials :https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L158-L163
EigenPod.verifyWithdrawalCredentialsAndBalance
to finalize the deposit, and updatehasRestaked
state totrue
.https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L175-L226
EigenPod
should be updated with the appropriate value. But can't finishwithdrawBeforeRestaking
since thehasNeverRestaked
modifier will revert sincehasRestaked
istrue
.https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L454-L457
EigenPod
and there is no way to withdraw it.Tools Used
Manual Review
Recommended Mitigation Steps
Consider to either prevent more than one validator deposit to
EigenPod
or change thehasRestaked
to mapping state pervalidatorIndex
Assessed type
Invalid Validation