Closed sherlock-admin2 closed 6 months ago
request poc
PoC requested from @0xhsp
Requests remaining: 7
It's hard to write a POC but allow me to elaborate:
For example:
Besides, attacker may avoid slashing by front-run EigenLayer slashing transaction to call requestWithdraw() and rebalance() (this is possible because rebalance() may not have been called because there is no deposits/withdrawals), then the un-unitized funds in deposit pool is withdrawn to attacker, as a result, attacker earn riskless profit while the other users suffer more loss due to the slashing.
So I believe the unallocated assets is a problem, the funds should be transferred back to users and the LRT should be minted/burned accordingly.
This seems to be a management issue, not a code issue. The deposit and operator caps will be managed in such a way that yield drag is reduced.
HSP
medium
Unallocated assets may largely reduce the profit belongs to the user whose funds are utilized
Summary
Unallocated assets may largely reduce the profit belongs to the user whose funds are utilized.
Vulnerability Detail
When user deposits to Rio, LRT tokens are first minted to user to the user, and when rebalancing, allocateStrategyShares(...) function is called to allocate shares to the operators.If the allocation of the operator with the lowest utilization rate is maxed out, function exits earlier and no more shares will be allocated.
The unallocated assets are not returned to user but stay in the deposit pool. This is problematic because the rewards protocol gains from Eigenlayer are shared by the LRT holders, given LRT tokens are also minted for the unallocated assets, User's profit can be largely reduced.
Impact
User's profit is largely reduced.
Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRTOperatorRegistry.sol#L342
Tool used
Manual Review
Recommendation
Return funds back to user if reaches the cap, and only mint LRT tokens to users whose funds are utilized.