Renzo - Hajime's results

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L244-L263

Vulnerability details

Impact

The user will not be able to withdraw a collateral asset that he has deposited if the asset is removed. In WithdrawQueue.withdraw() there is a check for supported tokens: if (withdrawalBufferTarget[_assetOut] == 0) revert UnsupportedWithdrawAsset(); withdrawalBufferTarget is synchronized with collateralTokens[].

After calling removeCollateralTokens the asset is no longer supported. The developers say that the amount of the removed asset is immediately output manually from the EigenLayer via OperatorDelegator.queueWithdrawals to which IERC20[] calldata tokens, uint256[] calldata tokenAmounts are passed as parameters,but these lists do not include deleted assets, because after calling removeCollateralTokens the assets are simply remove without consideration.

This causes the funds to get stuck

Proof of Concept

function removeCollateralToken(
        IERC20 _collateralTokenToRemove
    ) external onlyRestakeManagerAdmin {
        // Remove it from the list
        uint256 tokenLength = collateralTokens.length;
        for (uint256 i = 0; i < tokenLength; ) {
            if (address(collateralTokens[i]) == address(_collateralTokenToRemove)) {
                collateralTokens[i] = collateralTokens[collateralTokens.length - 1];
                collateralTokens.pop();
                emit CollateralTokenRemoved(_collateralTokenToRemove);
                return;
            }
            unchecked {
                ++i;
            }
        }

Tools Used

Manual

Recommended Mitigation Steps

create 'blacklist' type arrays into which you can loop through and withdraw the remaining asset funds

Assessed type

Other

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L274

Vulnerability details

Impact

the amount to be returned to the user will be incorrect because of the incorrect totalTVL value that calculateTVLs returns.This happens when the funds of remove assets get stuck in the protocol (although the developers claim that the admin manually removes the sums of deleted assets, but this is not the case). In case when a user deposited an asset and it was remove from the supported tokens, the result is that the amount gets stuck and is not taken into account in calculateTVLs.

calculateTVLs is calculated only on collateralTokens [] (supported tokens), it returns the value of totalTVL which is used to calculate amountRedeem as a result the user gets an incorrect amount.

Proof of Concept

uint256 amountToRedeem = renzoOracle.calculateRedeemAmount(
            _amount,
            ezETH.totalSupply(),
            totalTVL //! wrong
        );

Tools Used

manual

Recommended take into account which token the user has deposited and if it is not supported withdraw funds taking them into account. Since the developers' statements are not true about remove token's funds being withdrawn manually by the admin

Assessed type

Context