Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 171/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
NodeDelegator have a function maxApproveToEigenStrategyManager(address asset) for approving a strategy to spend type(uint256).max amount of asset it's balance. Doing so on a custom strategy exposes Nodedelegator asset balance to a possible wiping.
After digging through EigenLayer strategy contracts i contacted the dev team on discord , and they confirmed to me that allowing operators to create their own custom strategy contracts are planned and are in internal discussion stages, this means in a near future operator can create their own custom strategy on eigenLayer. See discussion. With this in mind an operator can create his own strategy contract and program it to transfer out all the nodedelegator balances. This is possible because of the max approval given to the strategy. Since Kelp also have plans for supporting multiple strategies in the future, the max approval is a big issue on it's own in this context.
Manual review
Since nodedelegator will always manually be called to deposit into strategy by kelp LRTManager, just approve the necessary amount before each deposit to avoid any funds loss in the future.
ERC20
#0 - c4-pre-sort
2023-11-16T19:43:40Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T19:43:54Z
raymondfam marked the issue as duplicate of #70
#2 - c4-judge
2023-11-29T19:28:16Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-29T19:29:24Z
fatherGoose1 marked the issue as grade-b