c4-bot-2 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Rewards/RewardHandler.sol#L52-L54

Vulnerability details

Cause

MEV bribes (direct block.coinbase payments) that execute the RewardHandler's receive function call the DepositQueue, and in its receive function, it calls feeAddress, and WithdrawQueue's getBufferDeficit and fillEthWithdrawBuffer, and increments totalEarned. These additional gas costs will dramatically reduce the profitability of the MEV for Renzo's validators because MEV frequently depends on thin gas margins and tends to be hyper gas optimized.

Impact

Due to this, some profitable MEV will be less profitable, and some MEV (e.g., arbitrage) will not be captured at all (due to being unprofitable due to increased gas cost) and will instead be captured in subsequent blocks by other validators.

MEV yield is an important part of overall validator yield, and this functionality needlessly reduces ezETH yield.

This impairs core functionality due to the importance of rewards in a restaking protocol.

Proof of Concept

An arbitrage MEV bundle is evaluated for one of Renzo's validators.
Due to the increased gas costs, the MEV is unprofitable, so it is not included and is instead included by the next slot's (non-Renzo) validator.
MEV income is constantly lost, reducing staking yield for ezETH holders.

Tools Used

Manual Review

Recommended Mitigation Steps

Instead of forwarding every receive() call, accumulate the value to be forwarded only once it's past a certain threshold (preferably a constant and not stored in a storage variable).

+   uint256 public constant FORWARDING_THRESHOLD = 10 ether;

    receive() external payable nonReentrant {
-       _forwardETH();
+       if (address(this).balance > FORWARDING_THRESHOLD) {
+           _forwardETH();
+       }
    }

Assessed type

MEV

DadeKuma commented 5 months ago

This would lead to funds locked inside the contract until the threshold is reached (if ever)