The Total Value Locked (TVL) might be manipulated if withdrawals occur outside of Renzo.

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L274 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Delegation/OperatorDelegator.sol#L274

Vulnerability details

Impact

calculateTVLs() fails to consider ETH queued for withdrawals when withdrawals are initiated from sources external to Renzo. This oversight leads to an underestimated TVL, potentially enabling an attacker to purchase ezETH at a temporary discount.

Proof of Concept

The problem lies in the fact that withdrawals may be triggered from outside of Renzo. This can happen when:

1. Operator who holds active key initiates validator exit
2. Validator is slashed to 16 ETH and is forcefully exited
3. Operator calls undelegate on Eigenlayer's DelegationManager

When withdrawals are initiated from external sources, such as above, Renzo's TVL calculation fails to account for the ETH queued for withdrawal. This oversight results in an underestimation of TVL during the withdrawal delay period, creating an opportunity for individuals to purchase ezETH at a temporary discount.

Consider this hypothetical situation:

1. The total supply of ezETH and TVL is 96 ETH, implying a ratio of 1 ezETH to 1 ETH.
2. A malicious operator holding a minority allocation 'accidentally' triggers a withdrawal on the Beacon chain by undelegating himself.
3. The staked ETH balance decreases by 32 ETH, reflecting on Eigenlayer and reducing the shares of the Eigenpod by 32 ETH.
4. Renzo's calculateTVLs() decreases by 32 ETH due to the reduction in shares, but Renzo remains unaware of the ETH in the withdrawal queue. Consequently, the exchange rate shifts to 96 ezETH to 64 ETH, resulting in a ratio of 0.67.
5. The malicious operator capitalizes on the opportunity to purchase cheap ezETH. They wait for the withdrawal to complete, after which the ETH is transferred to Renzo's Restaking Manager, restoring the TVL to its original value.
6. The value of ezETH increases, allowing the operator to sell ezETH for a profit.

A malicious operator or any observer who identifies this issue can profit by purchasing ezETH at a lower price and selling it for a profit several days later. This comes at the expense of existing ezETH holders, whose shares will be diluted.

This scenario could also occur during a significant slashing event, such as a smart contract bug, where numerous validators are slashed to 16 ETH and forcefully exited. Observers of this event would have an opportunity to exploit the temporary underpricing of ezETH.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider off-chain monitoring for such edge case withdrawals and temporarily pause Renzo operations until the withdrawals have completed and ETH is back inside Renzo's system. Will require implementation of a pause function in Renzo.

Assessed type

Other

[C4-Staff]

CloudEllie marked the issue as duplicate of #320

[c4-judge]

alcueca marked the issue as not a duplicate

[alcueca]

Operator who holds active key initiates validator exit

That would be Medium, since it is a trusted role

Validator is slashed to 16 ETH and is forcefully exited

That doesn't require a trusted role, and makes this a duplicate of #441

Operator calls undelegate on Eigenlayer's DelegationManager

That would be Medium, since it is a trusted role

[c4-judge]

alcueca marked the issue as duplicate of #441

[c4-judge]

alcueca marked the issue as duplicate of #326

[c4-judge]

alcueca marked the issue as satisfactory