Back to 0xDemon's contests

Renzo - 0xDemon's results

A protocol that abstracts all staking complexity from the end-user and enables easy collaboration with EigenLayer node operators and a Validated Services (AVSs).

General Information

Platform: Code4rena

Start Date: 30/04/2024

Pot Size: $112,500 USDC

Total HM: 22

Participants: 122

Period: 8 days

Judge: alcueca

Total Solo HM: 1

Id: 372

League: ETH

Renzo

Findings Distribution

Researcher Performance

Rank: 84/122

Findings: 1

Award: $1.48

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRenzo

Findings Information

🌟 Selected for report: t0x1c

Also found by: 0xCiphky, 0xDemon, Bauchibred, DanielArmstrong, FastChecker, MSaptarshi, Maroutis, NentoR, Ocean_Sky, PNS, Rhaydden, SBSecurity, Shaheen, Tigerfrake, ZanyBonzy, atoko, btk, carlitox477, crypticdefense, honey-k12, hunter_w3b, ilchovski, jokr, ladboy233, rbserver, twcctop, umarkhatab_465

Awards

1.479 USDC - $1.48

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
edited-by-warden
:robot:_19_group
duplicate-484

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L491-L576 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L592-L616

Vulnerability details

Impact

Users may get less ezETH / collateral token than desired

Proof of Concept

RestakeManager::deposit & RestakeManager::depositETH functions for users to make deposits in the form of collateral tokens (stETH, wbETH) and ETH.

When a user makes a deposit with collateral tokens, the value of the number of tokens is checked with renzoOracle::lookupTokenValue. After getting the value, the amount of ezETH that will be requested from the user is determined with renzoOracle::calculateMintAmount.

        if (mintAmount == 0) revert InvalidTokenAmount();

The problem arises because the calculateMintAmount() sanity check function is carried out only if mintAmount = 0 then the function will revert. Then in the deposit() function there is no checking whether the ezETHtoMint value (the result of calling the calculateMintAmount() function) matches what is desired.

NOTE

This also applies if the user withdraws or redeems the ezETH token they have in order to get ETH or other collateral tokens

Instances :

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L206-L263

Tools Used

Manual review

Consider adding check whether the ezETH that will be requested for the user matches what is desired

    function deposit(
        IERC20 _collateralToken,
        uint256 _amount,
        uint256 _referralId,
        uint256 minezETH
    ) public nonReentrant notPaused {
    
      uint256 ezETHToMint = renzoOracle.calculateMintAmount(
      totalTVL,
      collateralTokenValue,
      ezETH.totalSupply()
    );
    
    if (ezETHtoMint < minezETH) {
	    revert lessezETH;
	    }
	  }
	    
	    
    function depositETH(
		    uint256 _referralId,
		    uint256 minezETH
   ) public payable nonReentrant notPaused {
   
      uint256 ezETHToMint = renzoOracle.calculateMintAmount(
      totalTVL,
      msg.value,
      ezETH.totalSupply()
    );
    
    if (ezETHtoMint < minezETH) {
	    revert lessezETH;
	    }
	 }

Assessed type

Other

#0 - c4-judge

2024-05-17T13:28:49Z

alcueca marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter