The OperatorDelegator is the staker from EigenLayer's point of view, so it is both the recipient of EIGEN (for staking ERC20 tokens and being the pod owner) and the likely recipient of other ERC20 rewards, for example from the AVSs validated by the operators. However, OperatorDelegator has no functionality to claim any rewards (such as the EIGEN stake-drop) or handle ERC20 tokens sent to it, or made available to claim for the staking performed.
Impact
Since Renzo is a restaking protocol, which is staking and restaking funds for yield, being able to claim the rewards is a crucial core functionality. Without this functionality, the protocol will miss out on potential rewards, which could have been distributed to the ezETH holders.
While specific arrangements can be handled off-chain some on-chain measures are required as well, at least for the case that ERC20 are sent to the contract.
Proof of Concept
N/A
Tools Used
Manual Review
Recommended Mitigation Steps
Add ERC20 recovery functionality to the OperatorDelegator contract to allow handling ERC20 rewards. This functionality should be restricted to the contract owner or a designated admin role to prevent unauthorized token transfers, and it should not be allowed to handle collateral assets.
DadeKuma
commented
5 months ago
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Delegation/OperatorDelegator.sol#L355
Vulnerability details
Cause
The
OperatorDelegatoris the staker from EigenLayer's point of view, so it is both the recipient of EIGEN (for staking ERC20 tokens and being the pod owner) and the likely recipient of other ERC20 rewards, for example from the AVSs validated by the operators. However,OperatorDelegatorhas no functionality to claim any rewards (such as the EIGEN stake-drop) or handle ERC20 tokens sent to it, or made available to claim for the staking performed.Impact
Since Renzo is a restaking protocol, which is staking and restaking funds for yield, being able to claim the rewards is a crucial core functionality. Without this functionality, the protocol will miss out on potential rewards, which could have been distributed to the ezETH holders.
While specific arrangements can be handled off-chain some on-chain measures are required as well, at least for the case that ERC20 are sent to the contract.
Proof of Concept
N/A
Tools Used
Manual Review
Recommended Mitigation Steps
Add ERC20 recovery functionality to the
OperatorDelegatorcontract to allow handling ERC20 rewards. This functionality should be restricted to the contract owner or a designated admin role to prevent unauthorized token transfers, and it should not be allowed to handle collateral assets.Assessed type
ERC20