Closed sherlock-admin4 closed 6 months ago
Invalid - Operators are trusted partners, but they will be removed from the active set if they fail to update their earnings receiver.
Could be valid, depending on reward distribution logic, given operators are not trusted. Would this fall under the scenario where they are trusted to act accordingly in eigenlayer context?
Operators are partners that are trusted to act accordingly within EigenLayer. If they change their earnings receiver within EigenLayer, they will be penalized by being removed from the operator set.
Agree with sponsor based on head of judging comments here
klaus
medium
An operator can change the earningsReceiver after deploying an OperatorDelegator and steal the rewards
Summary
It checks the EigenLayer configuration of the operator only when deploying OperatorDelegator, but it can be changed by operator later. In particular, if the
earningsReceiver
setting is changed, the operator can steal the rewards.Vulnerability Detail
When deploying OperatorDelegator, it checks whether the value set by the operator on the EigenLayer is correct. It verifies if the
earningsReceiver
,delegationApprover
,stakerOptOutWindowBlocks
configuration values are correct. In particular,earningsReceiver
should be set to RewardDistributor contract so that rewards are distributed through the Rio system.This setting is only checked at deployment and is not checked afterwards. Therefore, after deploying OperatorDelegator, if the operator changes the settings by making a contract call to EigenLayer, they can steal the rewards.
This is PoC. Add it to the RioLRTOperatorRegistry.t.sol file and run it.
Impact
If the operator changes the earningsReceiver settings, they can steal the rewards.
Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTOperatorDelegator.sol#L81-L83
Tool used
Manual Review
Recommendation
Penalize operators for changing settings.