Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
Sidu28 marked the issue as disagree with severity
This is a theoretical griefing attack that is practically infeasible. The cost cannot be less to the would-be-attacker than it is to the owner of the StrategyManager. We believe it is Informational Severity
GalloDaSballo marked the issue as unsatisfactory: Invalid
Agree with the sponsor, while marginal deposits are possible, the cost for slashing is lower (triggers some gas refunds), than the cost of griefing (zero to non-zero STOREs)
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L329-L429 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L536-L579 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/strategies/StrategyBase.sol#L121-L156
Vulnerability details
Impact
In StrategyManager.sol, there is no minimum withdrawal amount required when a staker calls
queueWithdrawal()
. This could disrupt the contract owner callingslashQueuedWithdrawal)
if the entire shares for the particular strategy have been split into infinitely small chunks of queue.Proof of Concept
Here is a possible scenario:
queueWithdrawal()
that will have 1e9 - 1 shares removed each till strategy A is removed fromstakerStrategyList
with the last call onqueueWithdrawal()
entailing even smaller amount of shares.stakerStrategyList
, but unfortunately, he has other strategies under the operator's hands doing fairly well.File: StrategyManager.sol#L456-L469
completeQueuedWithdrawal()
before shares pending withdrawal become slashable.File: StrategyManager.sol#L755-L758
queuedWithdrawal
s, totalShares amount in StrategyBase.sol is nearing MIN_NONZERO_TOTAL_SHARES that could possibly makeslashQueuedWithdrawal()
fail in the last loop iteration.File: StrategyBase.sol#L137-L140
Tools Used
Manual
Recommended Mitigation Steps
Consider adding a require check in
queueWithdrawal()
requiring shares[i] >= 1e9.Assessed type
Decimal