Back to 0xWaitress's contests

EigenLayer Contest - 0xWaitress's results

Enabling restaking of staked Ether, to be used as cryptoeconomic security for decentralized protocols and applications.

General Information

Platform: Code4rena

Start Date: 27/04/2023

Pot Size: $90,500 USDC

Total HM: 4

Participants: 43

Period: 7 days

Judge: GalloDaSballo

Id: 233

League: ETH

EigenLayer

Findings Distribution

Researcher Performance

Rank: 22/43

Findings: 2

Award: $606.39

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEigenLayer

Findings Information

🌟 Selected for report: ABA

Also found by: 0xWaitress, 8olidity, ABA, MiloTruck, ToonVH, bughunter007, bytes032, juancito, rvierdiiev

Labels

bug
2 (Med Risk)
satisfactory
edited-by-warden
duplicate-132

Awards

534.7892 USDC - $534.79

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L745

Vulnerability details

Impact

completeQueuedWithdrawal can face a denial of service when a strategy is paused

Proof of Concept

  1. Assume a staker queue up an withdrawal of 2 strategies, each with 100 tokens (A/B)
  2. The staker waits for the delay to pass
  3. However strategy B is now paused.
  4. Since the withdrawal has to be executed entirely, and StrategyB.withdraw would be revert, the staker cannot execute the withdrawal

Tools Used

Manual Review

add an indexToSkip like the function slashQueuedWithdrawal

Assessed type

Invalid Validation

#0 - c4-pre-sort

2023-05-09T13:39:14Z

0xSorryNotSorry marked the issue as duplicate of #132

#1 - c4-judge

2023-06-08T12:26:37Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: volodya

Also found by: 0xWaitress, 0xnev, ABA, Aymen0909, Cyfrin, QiuhaoLi, RaymondFam, btk, bughunter007, ihtishamsudo, juancito, libratus, niser93, sashik_eth

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-20

Awards

71.6048 USDC - $71.60

External Links

Link to GitHub issue
  1. Make input in StrategyManager::completeQueuedWithdrawals as a struct

right now the input is not guaranteed to be the same length, it's better to make them in a struct so length checks are not needed

function completeQueuedWithdrawals(
        QueuedWithdrawal[] calldata queuedWithdrawals,
        IERC20[][] calldata tokens,
        uint256[] calldata middlewareTimesIndexes,
        bool[] calldata receiveAsTokens
    ) external

Recommendation

struct Input {
    QueuedWithdrawal a;
    IERC20[] b;
    uint256 c;
    bool d;
}

function completeQueuedWithdrawals(Input[] calldata intputs) {
}

-------- \n

  1. Same issue as 1.) for slashShares

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/core/StrategyManager.sol#L482-L489

-------- \n

  1. deposit/withdraw in IStrategy does not need to take token, if only onlyStrategyManager can call and only 1 rewardToken is expected per strategy.

StrategyBase.sol

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/strategies/StrategyBase.sol#L78-L86

    function deposit(IERC20 token, uint256 amount)
        external
        virtual
        override
        onlyWhenNotPaused(PAUSED_DEPOSITS)
        onlyStrategyManager
        returns (uint256 newShares)
    {
        require(token == underlyingToken, "StrategyBase.deposit: Can only deposit underlyingToken");

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/strategies/StrategyBase.sol#L121-L128

    function withdraw(address depositor, IERC20 token, uint256 amountShares)
        external
        virtual
        override
        onlyWhenNotPaused(PAUSED_WITHDRAWALS)
        onlyStrategyManager
    {
        require(token == underlyingToken, "StrategyBase.withdraw: Can only withdraw the strategy token");

-------- \n

  1. Nothing is immediately withdrawable with the use of DelayedWithdrawalRouter.sol

However there are 2 doc/comments that still use "immediately withdrawable", which is mis-leading.

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L374

https://github.com/code-423n4/2023-04-eigenlayer/blob/main/src/contracts/pods/EigenPod.sol#L389

#0 - GalloDaSballo

2023-06-02T09:18:51Z

  1. Make input in StrategyManager::completeQueuedWithdrawals as a struct R
  2. Same issue as 1.) for slashShares R
  3. deposit/withdraw in IStrategy does not need to take token, if only onlyStrategyManager can call and only 1 rewardToken is expected per strategy. R
  4. Nothing is immediately withdrawable with the use of DelayedWithdrawalRouter.sol NC

3R 1NC

#1 - c4-judge

2023-06-02T09:38:48Z

GalloDaSballo marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter