Back to ustazz's contests

Renzo - ustazz's results

A protocol that abstracts all staking complexity from the end-user and enables easy collaboration with EigenLayer node operators and a Validated Services (AVSs).

General Information

Platform: Code4rena

Start Date: 30/04/2024

Pot Size: $112,500 USDC

Total HM: 22

Participants: 122

Period: 8 days

Judge: alcueca

Total Solo HM: 1

Id: 372

League: ETH

Renzo

Findings Distribution

Researcher Performance

Rank: 105/122

Findings: 1

Award: $0.00

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRenzo

Findings Information

🌟 Selected for report: pauliax

Also found by: 0rpse, 0x73696d616f, 0xAadi, 0xCiphky, 0xPwned, 0xhacksmithh, 0xnev, 0xnightfall, 0xordersol, 14si2o_Flint, Aamir, Aymen0909, BiasedMerc, DanielArmstrong, Fassi_Security, FastChecker, GoatedAudits, Greed, KupiaSec, LessDupes, Maroutis, NentoR, OMEN, SBSecurity, Stefanov, TheFabled, adam-idarrha, ak1, aman, araj, aslanbek, b0g0, baz1ka, bigtone, blutorque, carlitox477, carrotsmuggler, crypticdefense, eeshenggoh, fyamf, gesha17, gjaldon, grearlake, guhu95, honey-k12, hunter_w3b, ilchovski, josephdara, kinda_very_good, lanrebayode77, m_Rassska, maxim371, mt030d, mussucal, oakcobalt, p0wd3r, peanuts, rbserver, shui, siguint, t0x1c, tapir, twcctop, ustazz, xg, zhaojohnson, zigtur, zzykxx

Awards

0.0026 USDC - $0.00

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
edited-by-warden
:robot:_56_group
duplicate-28

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L317-L320

Vulnerability details

Impact

The potential consequences of this issue may lead to inaccuracies in the calculation performed by the RestakeManager::calculateTVLs() function. This, in turn, could affect the following:

  • User deposits within the RestakeManager::deposit() and RestakeManager::depositETH() functions, as well as reward computations in RestakeManager::depositTokenRewardsFromProtocol().
  • The precision of the current rate of ezETH obtained from BalancerRateProvider::getRate().
  • The precision of withdrawals executed via WithdrawQueue::withdraw(), i.e. loss of funds to either user and/or protocol

Proof of Concept

In RestakeManager.sol, Line 298 and 299 define the index variable and condition for iteration

            uint256 tokenLength = collateralTokens.length;
            for (uint256 j = 0; j < tokenLength; ) {

but in line 318 different (inaccurate) index variable is used which is from outer for-loop

     collateralTokens[i],

Additionally, code block supposed to run once (due to withdrawQueueTokenBalanceRecorded initialization and update), which may result i = 0 (i.e. no error), but in calculation of totalWithdrawalQueueValue it will iterate through different balances of collateralTokens for one collateralTokens at index i.

totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
                             collateralTokens[i],
                             collateralTokens[j].balanceOf(withdrawQueue)
                        );

Tools Used

Manual analysis

Change the index variable from i to j in line 318 in RestakeManager.sol

    totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
-                            collateralTokens[i],
+                            collateralTokens[j],
                             collateralTokens[j].balanceOf(withdrawQueue)
                        );

Assessed type

Context

#0 - c4-judge

2024-05-16T10:33:36Z

alcueca marked the issue as satisfactory

#1 - c4-judge

2024-05-16T10:38:47Z

alcueca changed the severity to 2 (Med Risk)

#2 - c4-judge

2024-05-16T10:39:08Z

alcueca changed the severity to 3 (High Risk)

#3 - c4-judge

2024-05-20T04:26:26Z

alcueca changed the severity to 2 (Med Risk)

#4 - c4-judge

2024-05-23T13:47:21Z

alcueca changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter