Closed howlbot-integration[bot] closed 5 months ago
CloudEllie marked the issue as duplicate of #320
alcueca marked the issue as not a duplicate
Operator who holds active key initiates validator exit
That would be Medium, since it is a trusted role
Validator is slashed to 16 ETH and is forcefully exited
That doesn't require a trusted role, and makes this a duplicate of #441
Operator calls undelegate on Eigenlayer's DelegationManager
That would be Medium, since it is a trusted role
alcueca marked the issue as duplicate of #441
alcueca marked the issue as duplicate of #326
alcueca marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L274 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Delegation/OperatorDelegator.sol#L274
Vulnerability details
Impact
calculateTVLs()
fails to considerETH
queued for withdrawals when withdrawals are initiated from sources external to Renzo. This oversight leads to an underestimated TVL, potentially enabling an attacker to purchaseezETH
at a temporary discount.Proof of Concept
The problem lies in the fact that withdrawals may be triggered from outside of Renzo. This can happen when:
When withdrawals are initiated from external sources, such as above, Renzo's TVL calculation fails to account for the ETH queued for withdrawal. This oversight results in an underestimation of TVL during the withdrawal delay period, creating an opportunity for individuals to purchase
ezETH
at a temporary discount.Consider this hypothetical situation:
ezETH
and TVL is 96 ETH, implying a ratio of 1 ezETH to 1 ETH.Eigenlayer
and reducing the shares of the Eigenpod by 32 ETH.calculateTVLs()
decreases by 32 ETH due to the reduction in shares, but Renzo remains unaware of the ETH in the withdrawal queue. Consequently, the exchange rate shifts to 96 ezETH to 64 ETH, resulting in a ratio of 0.67.ezETH
. They wait for the withdrawal to complete, after which the ETH is transferred to Renzo's Restaking Manager, restoring the TVL to its original value.ezETH
increases, allowing the operator to sellezETH
for a profit.A malicious operator or any observer who identifies this issue can profit by purchasing ezETH at a lower price and selling it for a profit several days later. This comes at the expense of existing ezETH holders, whose shares will be diluted.
This scenario could also occur during a significant slashing event, such as a smart contract bug, where numerous validators are slashed to 16 ETH and forcefully exited. Observers of this event would have an opportunity to exploit the temporary underpricing of
ezETH
.Tools Used
Manual Review
Recommended Mitigation Steps
Consider off-chain monitoring for such edge case withdrawals and temporarily pause Renzo operations until the withdrawals have completed and ETH is back inside Renzo's system. Will require implementation of a pause function in Renzo.
Assessed type
Other