Closed code423n4 closed 1 year ago
0xSorryNotSorry marked the issue as primary issue
Sidu28 requested judge review
We believe this is a duplicate of issue 259, as it appears to have the same root cause.
GalloDaSballo changed the severity to QA (Quality Assurance)
L + 3
Lines of code
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L292-L293 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L189-L198 https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L821-L836
Vulnerability details
Impact
A Beacon Chain validator who has his/her retaked ETH slashed, and then incurs a debt due to over commitment could end up having the debt amount not withdrawable by any party.
Proof of Concept
First off, Beacon Chain reward payments will be automatically triggered every few days with each validator sweep to EigenPod.sol that has been used as the withdrawal credentials. In the event the restaked ETH is slashed, the contract owner of StrategyManager.sol will understandably make the efforts claiming the slash amount at the expense of the rewards already swept to EigenPod.sol.
Next, when the validator runs into an over commitment, a debt is going to be incurred and assigned to
beaconChainETHSharesToDecrementOnWithdrawal
prior to removing shares for the enshrined beacon chain ETH strategy:https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L292-L293
https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L189-L198
When the validator exits Beacon Chain and makes a full withdrawal, the slashed amount equivalent to the debt has already been claimed by the contract owner of StrategyManager.sol at the time when
beaconChainETHSharesToDecrementOnWithdrawal[staker]
was still equal to zero.Now, as apparently evidenced from the code logic of
_withdrawBeaconChainETH()
below, it will decreaseamount
appropriately, so less is sent at the end.https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L821-L836
As a result, the debt amount is left stuck in EigenPod.sol. Neither can the contract owner of StrategyManager.sol claim it since there are no more shares to remove.
Recommended Mitigation Steps
It is recommended refactoring the code logic of
_withdrawBeaconChainETH)
such that if the debt has eralier been claimed by the contract owner of StrategyManager.sol viaslashShares()
. If so,beaconChainETHSharesToDecrementOnWithdrawal[staker]
should first be decremented so the last line of code,eigenPodManager.withdrawRestakedBeaconChainETH(staker, recipient, amount)
can directly execute.Assessed type
ETH-Transfer