Closed howlbot-integration[bot] closed 5 months ago
In the extreme cases, when protocol decides to remove the collateral Token support from deposit. Then the expected behaviour is to first increase the withdrawBufferTarget to support the deposited collateral in the removed Token and then perform withdrawal from EigenLayer and fill up the withdraw Buffer for users to claim.
CloudEllie marked the issue as primary issue
alcueca marked issue #97 as primary and marked this issue as a duplicate of 97
alcueca changed the severity to 3 (High Risk)
This finding fails to address the actual impacts of unsafe removal of collaterals.
alcueca marked the issue as unsatisfactory: Invalid
alcueca changed the severity to 2 (Med Risk)
alcueca marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L244-L263
Vulnerability details
Impact
A supported token can be removed by the admin through removeCollateralToken(). It's fair to assume that the action to remove an existing token could be taken in light of some suspicious activity, for example abnormal price manipulation or swings witnessed for the token or some other extreme event. And hence the protocol would want that interactions with the token are cut off.
The
removeCollateralToken()
function updates thecollateralTokens[]
array by removing the said_token
when called by the roleRestakeManagerAdmin
. However, existing configurations ofwithdrawalBufferTarget[_token]
,tokenOracleLookup[_token]
andcollateralTokenTvlLimits[_token]
are never reset by the protocol unless explicitly called by other admin roles.This is non-trivial because these functions are supposed to be called by different roles:
onlyRestakeManagerAdmin
modifier.onlyOracleAdmin
modifier.onlyWithdrawQueueAdmin
modifier.Hence if
removeCollateralToken()
for_token
is called by theRestakeManagerAdmin
first, a user can back-run this and can call withdraw() and choose to receive the redemption amount in_token
amount. His call will pass the withdrawalBufferTarget check here and the oracle existence check here since they were never automatically reset upon removal of the collateral token.Given that
_token
is witnessing suspicious price manipulation activity, the user could potentially extract more value than the protocol intended to provide.Proof of Concept
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L244-L263
Tools Used
Manual review
Recommended Mitigation Steps
Inside
removeCollateralToken()
, reset the token's oracle address, the withdraw buffer target as well as the token TVL limit to zero.Assessed type
Other