Renzo - shui's results

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L316-L321

Vulnerability details

Description

During the calculation of the total TVL, the function initiates a loop over the operatorDelegators array using i as the index, followed by a nested loop over the collateralTokens array using j as the index. The issue arises when computing the token values in the withdrawQueue, where i is incorrectly used as the index instead of j. Consequently, the function consistently references the first collateral token for calculating token values in the withdrawQueue, resulting in an inaccurate total TVL calculation.

Impact

An inaccurate calculation of the total TVL poses several critical risks within the system. Given that the minting or redeeming of ezETH is contingent upon the total TVL, any miscalculation could lead to erroneous minting or redemption actions. This, in turn, jeopardizes the fair distribution of rewards among users and potentially results in financial losses.

Moreover, the totalTVL serves as a pivotal factor in determining the exchange rate between ezETH and ETH within the BalancerRateProvider contract. Any inaccuracies in its calculation could profoundly impact this rate, disrupting the balance and fairness of exchanges between the two assets.

Furthermore, the withdraw function relies on the accurate determination of the totalTVL to calculate the amount of ETH to redeem. An erroneous total TVL calculation here could lead to incorrect redemption amounts, thereby causing financial losses either to the user or the protocol itself.

Proof of Concept

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Withdraw/WithdrawQueue.sol#L216-L224

withdraw function in WithdrawQueue.sol:

    File: contracts/Withdraw/WithdrawQueue.sol #1

    216        // calculate totalTVL
    217        (, , uint256 totalTVL) = restakeManager.calculateTVLs();
    218
    219        // Calculate amount to Redeem in ETH
    220        uint256 amountToRedeem = renzoOracle.calculateRedeemAmount(
    221            _amount,
    222            ezETH.totalSupply(),
    223            totalTVL
    224        );

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RateProvider/BalancerRateProvider.sol#L29C1-L41C6

getRate function in BalancerRateProvider.sol:

    File: contracts/RateProvider/BalancerRateProvider.sol #2

29    function getRate() external view returns (uint256) {
30        // Get the total TVL priced in ETH from restakeManager
31        (, , uint256 totalTVL) = restakeManager.calculateTVLs();
32
33        // Get the total supply of the ezETH token
34        uint256 totalSupply = ezETHToken.totalSupply();
35
36        // Sanity check
37        if (totalSupply == 0 || totalTVL == 0) revert InvalidZeroInput();
38
39        // Return the rate
40        return (10 ** 18 * totalTVL) / totalSupply;
41    }

Recommended Mitigation

To resolve this issue, the function should use the j index to reference the correct collateral token in the collateralTokens array when calculating the token values in the withdrawQueue. This can be achieved by replacing collateralTokens[i] with collateralTokens[j] in RestakeManager.sol

        if (!withdrawQueueTokenBalanceRecorded) {
        totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
--          collateralTokens[i],
++          collateralTokens[j],
            collateralTokens[j].balanceOf(withdrawQueue)
        );
    }

Assessed type

Loop