search

code-423n4 / 2024-06-renzo-mitigation-findings

0 stars 0 forks source link

H-03 MitigationConfirmed #56

Open c4-bot-5 opened 3 months ago

c4-bot-5 commented 3 months ago

Lines of code

Vulnerability details

C4 Issue

H-03: https://github.com/code-423n4/2024-04-renzo-findings/issues/368

Issue Details

Function completeQueuedWithdrawal() is used by admin to complete withdraws of shares from EigenLayer. Both this function and receive() function implement nonReentrant modifier:

 function completeQueuedWithdrawal(
     IDelegationManager.Withdrawal calldata withdrawal,
     IERC20[] calldata tokens,
     uint256 middlewareTimesIndex
 ) external nonReentrant onlyNativeEthRestakeAdmin {  // <---
    uint256 gasBefore = gasleft();
    if (tokens.length != withdrawal.strategies.length) revert MismatchedArrayLengths();

    // complete the queued withdrawal from EigenLayer with receiveAsToken set to true
    delegationManager.completeQueuedWithdrawal(withdrawal, tokens, middlewareTimesIndex, true);  // <--
   .   .   .   .   .
}

 receive() external payable nonReentrant {  // <---
   .   .   .   .
}

In function completeQueuedWithdrawal(), it call completeQueuedWithdrawal() function from eigenLayer to withdraw. With receiveAsTokens = true, ether will be transfered from EigenPod to contract and trigger receive() function. Because receive() function implement nonReentrant modifier, the call will revert. Lead to ETH stuck in Eigenlayer

Mitigation

Mitigation successfully mitigate the issue by removing nonReentrant modifier from receive() function. Ether can be transfered from Eigenlayer to contract without preventation.

Conclusion

Mitigation confirmed.

c4-judge commented 3 months ago

alcueca marked the issue as satisfactory