Users can front-run eigenlayer updates to avoid penalties

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L206

Vulnerability details

Validator balances are updated when verifyBalanceUpdates() is called on an EigenPod if a validator is penalized or verifyAndProcessWithdrawals() is called if a validator is slashed, which means these actions are known before they take effect in the EigenLayer system. The issue is that users can front-run these calls to initiate a withdraw and get more out of the system before the total TVL calculations take place with updates as withdraw request will be cached with the stale TVL calculations.

Impact

Users front-running slashing and penalty updates will be stealing from other users.

Tools Used

Manual review

Recommended Mitigation Steps

Ensure that the correct amount of penalties is distributed evenly among stakers.

Assessed type

Other

[jatinj615]

Expected behaviour.

[C4-Staff]

CloudEllie marked the issue as primary issue

[alcueca]

@jatinj615, if this is expected behaviour, it is not documented, and rans contrary to the stated invariants of the protocol (#441)

ezETH should be minted or redeemed based on current supply and TVL.

In #438 there is also a possible mitigation, calculating withdrawal amounts at claim time instead of withdrawal time.

[alcueca]

Downgrading to Medium. There is a loss of value to users, but its significance is debatable since it's related to how much can slashing events be arbitraged.

[c4-judge]

alcueca changed the severity to 2 (Med Risk)

[c4-judge]

alcueca marked the issue as satisfactory

[c4-judge]

alcueca marked issue #441 as primary and marked this issue as a duplicate of 441

[c4-judge]

alcueca changed the severity to 3 (High Risk)

[c4-judge]

alcueca marked the issue as duplicate of #326