search

code-423n4 / 2024-06-renzo-mitigation-findings

0 stars 0 forks source link

H-02 MitigationConfirmed #3

Open c4-bot-9 opened 1 month ago

c4-bot-9 commented 1 month ago

Lines of code

Vulnerability details

The fix applied by the team fully mitigates H-02.

alcueca commented 1 month ago

The mitigation review should include more than just links to the issue and the fix. Not much is needed, but at least a description of both.

c4-judge commented 1 month ago

alcueca marked the issue as unsatisfactory: Insufficient quality

s1n1st3r01 commented 1 month ago

Original vulnerability

The function OperatorDelegator::getTokenBalanceFromStrategy() is used by the RestakeManager to calculate the protocol TVL, which is used to calculate the amount of ezETH to mint against a given value in collateral token

    function calculateTVLs() public view returns (uint256[][] memory, uint256[] memory, uint256) {
        ................

        for (uint256 i = 0; i < odLength; ) {
            ..............
            for (uint256 j = 0; j < tokenLength; ) {
                // Get the value of this token

------------>   uint256 operatorBalance = operatorDelegators[i].getTokenBalanceFromStrategy(
                    collateralTokens[j]
                );

                ..........
    }
    /// @dev Gets the underlying token amount from the amount of shares + queued withdrawal shares
    function getTokenBalanceFromStrategy(IERC20 token) external view returns (uint256) {
        return
--------->  queuedShares[address(this)] == 0
                ? tokenStrategyMapping[token].userUnderlyingView(address(this))
                : tokenStrategyMapping[token].userUnderlyingView(address(this)) +
                    tokenStrategyMapping[token].sharesToUnderlyingView(
                        queuedShares[address(token)]
                    );
    }

The issue in the getTokenBalanceFromStrategy(IERC20 token) function is that it's using address(this) instead of address(token) to check for the queued amount of the supplied token in calldata, which leads to a completely wrong result, because queuedShares[address(this)] will always return 0, therefore will not count the contribution of queuedShares[address(token)].

Mitigation analysis

The mitigation successfully addresses this issue by replacing the address(this) with address(token)

     function getTokenBalanceFromStrategy(IERC20 token) external view returns (uint256) {
         return
-             queuedShares[address(this)] == 0
+             queuedShares[address(token)] == 0
                 ? tokenStrategyMapping[token].userUnderlyingView(address(this))
                 : tokenStrategyMapping[token].userUnderlyingView(address(this)) +
                     tokenStrategyMapping[token].sharesToUnderlyingView(

Considering that the correct address for the collateral token is used instead of the contract's own address, this will now ensure TVL will accurately be reported.

c4-judge commented 1 month ago

alcueca marked the issue as satisfactory