Open c4-bot-9 opened 1 month ago
The mitigation review should include more than just links to the issue and the fix. Not much is needed, but at least a description of both.
alcueca marked the issue as unsatisfactory: Insufficient quality
The function OperatorDelegator::getTokenBalanceFromStrategy()
is used by the RestakeManager
to calculate the protocol TVL, which is used to calculate the amount of ezETH to mint against a given value in collateral token
function calculateTVLs() public view returns (uint256[][] memory, uint256[] memory, uint256) {
................
for (uint256 i = 0; i < odLength; ) {
..............
for (uint256 j = 0; j < tokenLength; ) {
// Get the value of this token
------------> uint256 operatorBalance = operatorDelegators[i].getTokenBalanceFromStrategy(
collateralTokens[j]
);
..........
}
/// @dev Gets the underlying token amount from the amount of shares + queued withdrawal shares
function getTokenBalanceFromStrategy(IERC20 token) external view returns (uint256) {
return
---------> queuedShares[address(this)] == 0
? tokenStrategyMapping[token].userUnderlyingView(address(this))
: tokenStrategyMapping[token].userUnderlyingView(address(this)) +
tokenStrategyMapping[token].sharesToUnderlyingView(
queuedShares[address(token)]
);
}
The issue in the getTokenBalanceFromStrategy(IERC20 token)
function is that it's using address(this)
instead of address(token)
to check for the queued amount of the supplied token in calldata, which leads to a completely wrong result, because queuedShares[address(this)]
will always return 0
, therefore will not count the contribution of queuedShares[address(token)]
.
The mitigation successfully addresses this issue by replacing the address(this)
with address(token)
function getTokenBalanceFromStrategy(IERC20 token) external view returns (uint256) {
return
- queuedShares[address(this)] == 0
+ queuedShares[address(token)] == 0
? tokenStrategyMapping[token].userUnderlyingView(address(this))
: tokenStrategyMapping[token].userUnderlyingView(address(this)) +
tokenStrategyMapping[token].sharesToUnderlyingView(
Considering that the correct address for the collateral token is used instead of the contract's own address, this will now ensure TVL will accurately be reported.
alcueca marked the issue as satisfactory
Lines of code
Vulnerability details
The fix applied by the team fully mitigates H-02.