Users rewards from native stake are in the DelayedWithdrawalRouter and wil lbe claimed later, leading to incorrect TVL and allowing users to easily frontrun tvl updates and profit.
Proof of Concept
RestakeManager::calculateTVLs() does not take into account ETH in the DelayedWithdrawalRouter, which will happen every time a ETH withdrawal is executed in OperatorDelegator::completeQueuedWithdrawal(). In this function, the rewards from native staking will be sent to the DelayedWithdrawalRouter, where they will be kept until they are claimed and sent to the OperatorDelegator, where they are correctly accounted for. Thus, in the meantime users can buy ezETH cheaper than intended and sellers will take a loss.
Tools Used
Vscode
Recommended Mitigation Steps
Include the balance of the DelayedWithdrawalRouter in the calculation of the total TVL.
DadeKuma
commented
5 months ago
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/RestakeManager.sol#L274 https://github.com/Layr-Labs/eigenlayer-contracts/blob/dev/src/contracts/pods/EigenPod.sol#L274
Vulnerability details
Impact
Users rewards from native stake are in the
DelayedWithdrawalRouterand wil lbe claimed later, leading to incorrect TVL and allowing users to easily frontrun tvl updates and profit.Proof of Concept
RestakeManager::calculateTVLs()does not take into account ETH in theDelayedWithdrawalRouter, which will happen every time a ETH withdrawal is executed inOperatorDelegator::completeQueuedWithdrawal(). In this function, the rewards from native staking will be sent to theDelayedWithdrawalRouter, where they will be kept until they are claimed and sent to theOperatorDelegator, where they are correctly accounted for. Thus, in the meantime users can buy ezETH cheaper than intended and sellers will take a loss.Tools Used
Vscode
Recommended Mitigation Steps
Include the balance of the
DelayedWithdrawalRouterin the calculation of the total TVL.Assessed type
Other