Closed sherlock-admin4 closed 8 months ago
monrel
high
The epoch is not incremented when withdrawals happen through EigenLayer, users will lose their assets since they can not complete their withdrawals.
When we settle through settleCurrentEpoch() we increment currentEpochsByAsset[asset].
settleCurrentEpoch()
currentEpochsByAsset[asset]
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L166
currentEpochsByAsset[asset] += 1;
But If we withdraw from EigenLayer by calling queueWithdrawalFromOperatorsForUserSettlement() we never increment the epoch.
queueWithdrawalFromOperatorsForUserSettlement()
Rebalance mechanism is broken:
When an epoch withdrawing from eigenlayer it is settled through settleEpochFromEigenLayer(), epochWithdrawals.settled is set to true
settleEpochFromEigenLayer()
epochWithdrawals.settled
true
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L230
Users will still be able to call requestWithdrawl() even if the current epoch has settled, they will lose their LRT tokens but the epoch is already settled so the funds are stuck.
requestWithdrawl()
Manual Review
The epoch has to be incremented when we queue it for settlement in _processUserWithdrawalsForCurrentEpoch()
_processUserWithdrawalsForCurrentEpoch()
withdrawalQueue_.queueCurrentEpochSettlement(asset, assetsSent, sharesSent, aggregateRoot); currentEpochsByAsset[asset] += 1;
Duplicate of #4
monrel
high
Epoch is not incremented when withdrawing from EigenLayer
Summary
The epoch is not incremented when withdrawals happen through EigenLayer, users will lose their assets since they can not complete their withdrawals.
Vulnerability Detail
When we settle through
settleCurrentEpoch()we incrementcurrentEpochsByAsset[asset].https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L166
But If we withdraw from EigenLayer by calling
queueWithdrawalFromOperatorsForUserSettlement()we never increment the epoch.Impact
Rebalance mechanism is broken:
When an epoch withdrawing from eigenlayer it is settled through
settleEpochFromEigenLayer(),epochWithdrawals.settledis set totruehttps://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L230
Users will still be able to call
requestWithdrawl()even if the current epoch has settled, they will lose their LRT tokens but the epoch is already settled so the funds are stuck.Code Snippet
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L166
https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/4f01e065c1ed346875cf5b05d2b43e0bcdb4c849/rio-sherlock-audit/contracts/restaking/RioLRTWithdrawalQueue.sol#L230
Tool used
Manual Review
Recommendation
The epoch has to be incremented when we queue it for settlement in
_processUserWithdrawalsForCurrentEpoch()Duplicate of #4