H-02 MitigationConfirmed

[c4-bot-9]

Lines of code

Vulnerability details

Original Issue Summary

• H-02: Incorrect calculation of queued withdrawals can deflate TVL and increase ezETH mint rate

The OperatorDelegator.getTokenBalanceFromStrategy() incorrectly uses address(this) to check for the queued amount instead of address(token).

address(this) will always return 0, which means that queuedShares[address(token)] will not be accounted for.

Mitigation

• Mitigation H-02

This mitigation proposes the usage of address(token) instead of address(this):

-            queuedShares[address(this)] == 0
+            queuedShares[address(token)] == 0

Comments

This mitigation succesfully mitigates the original issue. The address of the token is used, which will succesfully get the underlying token amount from the amount of shares + queued withdrawal shares.

Suggestion

n/a

Conclusion

LGTM

[c4-judge]

alcueca marked the issue as satisfactory