Sudden increases in TVL can be exploited for profit

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L491

Vulnerability details

The way the protocol is designed allows an attacker to take advantage of a sudden TVL increase. In Renzo a sudden TVL increase might happen for multiple reasons:

• A validator receives rewards and a partial withdrawal is triggered. Renzo is notified of the profit only when DelayedWithdrawalRouter::claimDelayedWithdrawals() gets called, which will instantly increase the TVL.
• A call to DepositQueue::sweepERC20(). The function transfers tokens from the DepositQueue, whose tokens are not accouted for in the protocol TVL, and deposits them in the protocol via the RestakeManager without minting extra ezETH tokens.
• The protocol receives execution layer / MEV rewards.
• Oracle updates. Chainlink price feeds are updated only when a specified "deviation threshold" is reached, or an amount of time defined as "heartbeat" is passed. Deviation thresholds can be up to ~2%, meaning the protocol could see a 2% instant valuation increase of an asset (and TVL as a consequence) as soon as the price for an asset is updated. Depending on the amount of assets held in the protocol, a 2% could be a meaningful amount.
• RestakeManager::addOperatorDelegator() is called to add an operator delegator that already holds some supported asset shares.

An user can exploit this for profit by minting ezETH tokens before the TVL increases, by doing the following:

1. Deposit an accepted asset to mint ezETH tokens via RestakeManager::deposit()
2. The TVL of the protocol gets updated and instantly increases, making the attacker ezETH tokens worth more.
3. Withdraw the ezETH tokens via WithdrawQueue::withdraw().
4. Wait a delay and complete the withdrawal via WithdrawQueue::claim().

Impact

An attacker can take advantage of a suddent TVL increase to capture extra profit, which leads to fair users earning less than they should.

Proof of Concept

Alice notices there are validator rewards in an EigenPod, and the rewards can be transferred to Renzo:

1. Alice mints ezETH via RestakeManager::deposit().
2. Alice calls DelayedWithdrawalRouter::claimDelayedWithdrawals(), which instantly increases the TVL.
3. Alice ezETH are now valued more, she calls WithdrawQueue::withdraw() to schedule a future withdrawal of her ezETH.
4. After a delay Alice calls WithdrawQueue::claim() to transfer the ETH/tokens to herself.

1, 2 and 3 can be performed atomically. 4 enforces a delay.

Recommended Mitigation Steps

Sudden TVL increases are unavoidable because at some point rewards have to be added to the TVL, and oracles updates are discrete. Similar systems generally use a deposit queue. Users should deposit their assets (ex. ETH) first, and be able to claim their ezETH after a delay. The amount of ezETH to mint should be calculated at claim time.

Assessed type

Other

[jatinj615]

Similar to - #420

It is the expected behaviour in the protocol as the rewards come in periodically into the protocol the arbitrage opportunities will be there but when the user withdraws there will be a coolDownPeriod in which they won't be earning any rewards.

[C4-Staff]

CloudEllie marked the issue as primary issue

[alcueca]

The issue exists and is acknowledged by the sponsor. It is debatable how profitable the attack is given the cooldown period, and therefore how large the loss of yield to users.

@jatinj615, note again that a zero cooldown period would make this exploit completely viable.

[c4-judge]

alcueca marked issue #326 as primary and marked this issue as a duplicate of 326

[c4-judge]

alcueca marked the issue as satisfactory