OperatorDelegator cannot handle ERC20 rewards

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Delegation/OperatorDelegator.sol#L355

Vulnerability details

Cause

The OperatorDelegator is the staker from EigenLayer's point of view, so it is both the recipient of EIGEN (for staking ERC20 tokens and being the pod owner) and the likely recipient of other ERC20 rewards, for example from the AVSs validated by the operators. However, OperatorDelegator has no functionality to claim any rewards (such as the EIGEN stake-drop) or handle ERC20 tokens sent to it, or made available to claim for the staking performed.

Impact

Since Renzo is a restaking protocol, which is staking and restaking funds for yield, being able to claim the rewards is a crucial core functionality. Without this functionality, the protocol will miss out on potential rewards, which could have been distributed to the ezETH holders.

While specific arrangements can be handled off-chain some on-chain measures are required as well, at least for the case that ERC20 are sent to the contract.

Proof of Concept

N/A

Tools Used

Manual Review

Recommended Mitigation Steps

Add ERC20 recovery functionality to the OperatorDelegator contract to allow handling ERC20 rewards. This functionality should be restricted to the contract owner or a designated admin role to prevent unauthorized token transfers, and it should not be allowed to handle collateral assets.

Assessed type

ERC20

[C4-Staff]

CloudEllie marked the issue as duplicate of #494

[c4-judge]

alcueca marked the issue as not a duplicate

[c4-judge]

alcueca marked the issue as primary issue

[c4-judge]

alcueca marked the issue as unsatisfactory: Invalid