Renzo - Audinarey's results

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L206 https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L492

Vulnerability details

Impact

This can lead to a situation where the protocol becomes insolvent because users can choose asset to deposit and withdraw hence arbitraging from the protocol.

Proof of Concept

During withdrawals, user can perform arbitrage, this is because there is no restriction on users to withdraw the exact restaking token they deposited.

This problem exists because users can call ResatakeManager::deposit(...) with a different _collateralToken from the one they used to call WithdrawalQueue::withdraw(...) hence a malicious user can but stETH cheap from the stETH/ETH pool and deposit it into the protocol and withdraw say cbETH which is currently trading at 1.03ETH at the time of writing this report

Liquid staking tokens are vulnerable to depegging significantly from the underlying staked cryptocurrencies. As seen in RENZO itself just two weeks ago

scenario

• Alice has 100 ETH, and buys 100 stETH at 0.99ETH/stETH with 99 ETH
• Alice calls ResatakeManager::deposit(...) with 100 stETH currently trading at 0.99ETH/stETH
• Alice call WithdrawalQueue::withdraw(...) to withdraw 100 cbETH which is currently trading at 1.03ETH/cbETH
• Alice gains 101 - 99 = 2 ether

Tools Used

Manual review

Recommended Mitigation Steps

A trivial recommendation is not in sight here.

Assessed type

Other