calculateTVLs() fails to consider ETH queued for withdrawals when withdrawals are initiated from sources external to Renzo. This oversight leads to an underestimated TVL, potentially enabling an attacker to purchase ezETH at a temporary discount.
Proof of Concept
The problem lies in the fact that withdrawals may be triggered from outside of Renzo. This can happen when:
Operator who holds active key initiates validator exit
Validator is slashed to 16 ETH and is forcefully exited
When withdrawals are initiated from external sources, such as above, Renzo's TVL calculation fails to account for the ETH queued for withdrawal. This oversight results in an underestimation of TVL during the withdrawal delay period, creating an opportunity for individuals to purchase ezETH at a temporary discount.
Consider this hypothetical situation:
The total supply of ezETH and TVL is 96 ETH, implying a ratio of 1 ezETH to 1 ETH.
A malicious operator holding a minority allocation 'accidentally' triggers a withdrawal on the Beacon chain by undelegating himself.
The staked ETH balance decreases by 32 ETH, reflecting on Eigenlayer and reducing the shares of the Eigenpod by 32 ETH.
Renzo's calculateTVLs() decreases by 32 ETH due to the reduction in shares, but Renzo remains unaware of the ETH in the withdrawal queue. Consequently, the exchange rate shifts to 96 ezETH to 64 ETH, resulting in a ratio of 0.67.
The malicious operator capitalizes on the opportunity to purchase cheap ezETH. They wait for the withdrawal to complete, after which the ETH is transferred to Renzo's Restaking Manager, restoring the TVL to its original value.
The value of ezETH increases, allowing the operator to sell ezETH for a profit.
A malicious operator or any observer who identifies this issue can profit by purchasing ezETH at a lower price and selling it for a profit several days later. This comes at the expense of existing ezETH holders, whose shares will be diluted.
This scenario could also occur during a significant slashing event, such as a smart contract bug, where numerous validators are slashed to 16 ETH and forcefully exited. Observers of this event would have an opportunity to exploit the temporary underpricing of ezETH.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider off-chain monitoring for such edge case withdrawals and temporarily pause Renzo operations until the withdrawals have completed and ETH is back inside Renzo's system. Will require implementation of a pause function in Renzo.
DadeKuma
commented
5 months ago
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L274 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Delegation/OperatorDelegator.sol#L274
Vulnerability details
Impact
calculateTVLs()fails to considerETHqueued for withdrawals when withdrawals are initiated from sources external to Renzo. This oversight leads to an underestimated TVL, potentially enabling an attacker to purchaseezETHat a temporary discount.Proof of Concept
The problem lies in the fact that withdrawals may be triggered from outside of Renzo. This can happen when:
When withdrawals are initiated from external sources, such as above, Renzo's TVL calculation fails to account for the ETH queued for withdrawal. This oversight results in an underestimation of TVL during the withdrawal delay period, creating an opportunity for individuals to purchase
ezETHat a temporary discount.Consider this hypothetical situation:
ezETHand TVL is 96 ETH, implying a ratio of 1 ezETH to 1 ETH.Eigenlayerand reducing the shares of the Eigenpod by 32 ETH.calculateTVLs()decreases by 32 ETH due to the reduction in shares, but Renzo remains unaware of the ETH in the withdrawal queue. Consequently, the exchange rate shifts to 96 ezETH to 64 ETH, resulting in a ratio of 0.67.ezETH. They wait for the withdrawal to complete, after which the ETH is transferred to Renzo's Restaking Manager, restoring the TVL to its original value.ezETHincreases, allowing the operator to sellezETHfor a profit.A malicious operator or any observer who identifies this issue can profit by purchasing ezETH at a lower price and selling it for a profit several days later. This comes at the expense of existing ezETH holders, whose shares will be diluted.
This scenario could also occur during a significant slashing event, such as a smart contract bug, where numerous validators are slashed to 16 ETH and forcefully exited. Observers of this event would have an opportunity to exploit the temporary underpricing of
ezETH.Tools Used
Manual Review
Recommended Mitigation Steps
Consider off-chain monitoring for such edge case withdrawals and temporarily pause Renzo operations until the withdrawals have completed and ETH is back inside Renzo's system. Will require implementation of a pause function in Renzo.
Assessed type
Other