Closed howlbot-integration[bot] closed 3 months ago
Similar to - #420
It is the expected behaviour in the protocol as the rewards come in periodically into the protocol the arbitrage opportunities will be there but when the user withdraws there will be a coolDownPeriod in which they won't be earning any rewards.
CloudEllie marked the issue as primary issue
The issue exists and is acknowledged by the sponsor. It is debatable how profitable the attack is given the cooldown period, and therefore how large the loss of yield to users.
@jatinj615, note again that a zero cooldown period would make this exploit completely viable.
alcueca marked issue #326 as primary and marked this issue as a duplicate of 326
alcueca marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L491
Vulnerability details
The way the protocol is designed allows an attacker to take advantage of a sudden TVL increase. In Renzo a sudden TVL increase might happen for multiple reasons:
DepositQueue
, whose tokens are not accouted for in the protocol TVL, and deposits them in the protocol via theRestakeManager
without minting extraezETH
tokens.An user can exploit this for profit by minting
ezETH
tokens before the TVL increases, by doing the following:ezETH
tokens via RestakeManager::deposit()ezETH
tokens worth more.ezETH
tokens via WithdrawQueue::withdraw().Impact
An attacker can take advantage of a suddent TVL increase to capture extra profit, which leads to fair users earning less than they should.
Proof of Concept
Alice notices there are validator rewards in an EigenPod, and the rewards can be transferred to Renzo:
ezETH
via RestakeManager::deposit().ezETH
are now valued more, she calls WithdrawQueue::withdraw() to schedule a future withdrawal of herezETH
.1
,2
and3
can be performed atomically.4
enforces a delay.Recommended Mitigation Steps
Sudden TVL increases are unavoidable because at some point rewards have to be added to the TVL, and oracles updates are discrete. Similar systems generally use a deposit queue. Users should deposit their assets (ex.
ETH
) first, and be able to claim theirezETH
after a delay. The amount ofezETH
to mint should be calculated at claim time.Assessed type
Other