Renzo - golu's results

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L244

Vulnerability details

Impact

Loss of user Funds.

   /// @dev Allows restake manager to remove a collateral token
    function removeCollateralToken(
        IERC20 _collateralTokenToRemove
    ) external onlyRestakeManagerAdmin {
        // Remove it from the list
        uint256 tokenLength = collateralTokens.length;
        for (uint256 i = 0; i < tokenLength; ) {
            if (address(collateralTokens[i]) == address(_collateralTokenToRemove)) {
                collateralTokens[i] = collateralTokens[collateralTokens.length - 1];
                collateralTokens.pop();
                emit CollateralTokenRemoved(_collateralTokenToRemove);
                return;
            }
            unchecked {
                ++i;
            }
        }

        // If the item was not found, throw an error
        revert NotFound();
    }

Detail

In the protocol, the admin has the power to add and remove collateral tokens. Here, the crucial part is to remove the collateral token. Using removeCollateralToken function, the admin removes the addresses that have funds invested by users. This function doesn't check the current available balance of the protocol.

Here is the steps how it may accure :

• Users deposit in RestakeManager.sol using the deposit function.

• After a large chunk of money exists in the protocol, the admin removes the collateral address.

• The user requests to withdraw collateral using the withdraw function.

• The fund is in a cooling period. After the cooling period, the user calls the claim function, but it doesn't exist at that point. 

Recommended Mitigation Steps

check the current balance when remove

Assessed type

Other