search

code-423n4 / 2024-04-renzo-findings

12 stars 8 forks source link

`DepositQueue` contract hold ERC20 tokens as rewards but not accounted for in TVL in `RestakeManager` contract leading to lower TVL calculation compared to true TVL #378

Open howlbot-integration[bot] opened 6 months ago

howlbot-integration[bot] commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/1c7cc4e632564349b204b4b5e5f494c9b0bc631d/contracts/Deposits/DepositQueue.sol#L254-L277 https://github.com/code-423n4/2024-04-renzo/blob/1c7cc4e632564349b204b4b5e5f494c9b0bc631d/contracts/RestakeManager.sol#L352

Vulnerability details

Impact

unfair lower TVL calculation for users that submits withdraw request before a sweepERC20 function called

Proof of Concept

in restakeManager::calculateTVL() the function calculates adds only the native balance of DepositQueueto total TVL but doesn't account for the ERC20 tokens held there as rewards that will be swept using depositQueue::sweepERC20 this will harm users that will submit withdrawals before the sweep is called giving them lower amount redeemed due to lower TVL miscalculated

Tools Used

manual review

Recommended Mitigation Steps

account for erc20 tokens held in DepositQueue when calculating restakeManager::calculateTVL()

Assessed type

Other

c4-judge commented 6 months ago

alcueca marked the issue as not a duplicate

c4-judge commented 6 months ago

alcueca marked the issue as duplicate of #383

c4-judge commented 6 months ago

alcueca marked the issue as satisfactory

c4-judge commented 6 months ago

alcueca changed the severity to QA (Quality Assurance)

c4-judge commented 6 months ago

alcueca marked the issue as grade-b