Renzo - aslanbek's results

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L219-L233

Vulnerability details

Impact

When requesting a withdrawal, the amount of collateral that will be withdrawn is set at the moment of request, and never changes afterwards. Therefore, regardless of slashings during the coolDownPeriod, the requester will be able to claim exactly the requested amount.

Proof of Concept

1. ezETH holder Alice notices a slashing from an AVS;
2. Alice requests redemption of her ezETH for a collateral token;
3. Slashing is executed;
4. While every other ezETH holder is affected by the slasing, Alice is not; and she claims her withdrawal once the cooldown period is over.

Recommended Mitigation Steps

ezETH exchange rate should be computed at the moment of claiming the withdrawal, not at the moment of request.

Assessed type

MEV

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L318

Vulnerability details

Impact

RestakeManager#calculateTVLs computes the total value of assets stored in the system:

For each OperatorDelegator, for each collateral token, it retrieves OD's balance and adds its ETH value to the total sum;

At i = 0 (first OD), totalWithdrawalQueueValue is being computed by iterating through each token (j= 0, 1, ..., tokenLength - 1):

                if (!withdrawQueueTokenBalanceRecorded) {
                    totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
                        collateralTokens[i],
                        collateralTokens[j].balanceOf(withdrawQueue)
                    );
                }

Since the first parameter of lookupTokenValue is the address of the token, and the second is its amount, each token will be accounted with the price of the first one.

Proof of Concept

Imagine there's 5 ODs, and 3 collateral tokens: stETH, wbETH, mETH.

Let's debug the first iteration of the external loop:

        for (uint256 i = 0; i < odLength; ) {
            /* ... */
            for (uint256 j = 0; j < tokenLength; ) {
                /* ... */
                if (!withdrawQueueTokenBalanceRecorded) {
                    totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
                        collateralTokens[i],
                        collateralTokens[j].balanceOf(withdrawQueue)
                    );
                }

                unchecked {
                    ++j;
                }
            }
            /* ... */
            totalWithdrawalQueueValue = true;
        }

i = 0, j = 0 - totalWithdrawalQueueValue is increased by stETH's value, using stETH's price. i = 0, j = 1 - totalWithdrawalQueueValue is increased by WithdrawalQueue's wbETH balance; still using stETH price. i = 0, j = 2 - totalWithdrawalQueueValue is increased by WithdrawalQueue's wbETH balance; still using stETH price.

Attack example

Imagine there's 10 stETH in the system; collateralTokens = [mETH, stETH]; 1 mETH = 1.1 ETH, 1 stETH = 1 ETH;

1. Alice deposits 1 stETH and receives 1 ezETH.
2. Bob deposits 1 mETH. calculateTVLs wrongly returns 1.1 ETH. Bob gets 1 ezETH.
3. Alice withdraws her 0.9090... ezETH. calculateTVLs wrongly returns 2.2 ETH. Alice receives her 1 stETH back, and has 0.090909... ezETH remaining, which she then redeems for mETH, effectively stealing Bob's deposited collateral.

Recommended Mitigation Steps

                if (!withdrawQueueTokenBalanceRecorded) {
                    totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
-                       collateralTokens[i],
+                       collateralTokens[j],
                        collateralTokens[j].balanceOf(withdrawQueue)
                    );
                }

Assessed type

Other

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L274

Vulnerability details

Impact

DepositQueue is expected to receive rewards in any of the collateral tokens. They are expected to be forwarded to OperatorDelegators via sweepERC20.

As the collateral balances of DepositQueue are not included in RestakeManager#calculateTVLs, one can monitor DepositQueue#sweepERC20 transactions, deposit before them, initiate the withdrawal right after (at a higher ezETH exchange rate), and claim it after coolDownPeriod, stealing rewards from honest depositors who have been holding ezETH for a significantly longer duration.

Proof of Concept

1. Alice sees a sweepERC20 transaction in the mempool;
2. Alice deposits ETH and mints ezETH;
3. sweepERC20 transaction is mined;
4. Alice starts a withdrawal of her ezETH at a higher price, and claims it after coolDownPeriod.

Recommended Mitigation Steps

Include DepositQueue's balance in calculateTVL's, minus the fee that would be deduced during sweepERC20.

Assessed type

Other