Back to zhaojohnson's contests

Renzo - zhaojohnson's results

A protocol that abstracts all staking complexity from the end-user and enables easy collaboration with EigenLayer node operators and a Validated Services (AVSs).

General Information

Platform: Code4rena

Start Date: 30/04/2024

Pot Size: $112,500 USDC

Total HM: 22

Participants: 122

Period: 8 days

Judge: alcueca

Total Solo HM: 1

Id: 372

League: ETH

Renzo

Findings Distribution

Researcher Performance

Rank: 40/122

Findings: 2

Award: $100.91

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRenzo

Findings Information

🌟 Selected for report: pauliax

Also found by: 0rpse, 0x73696d616f, 0xAadi, 0xCiphky, 0xPwned, 0xhacksmithh, 0xnev, 0xnightfall, 0xordersol, 14si2o_Flint, Aamir, Aymen0909, BiasedMerc, DanielArmstrong, Fassi_Security, FastChecker, GoatedAudits, Greed, KupiaSec, LessDupes, Maroutis, NentoR, OMEN, SBSecurity, Stefanov, TheFabled, adam-idarrha, ak1, aman, araj, aslanbek, b0g0, baz1ka, bigtone, blutorque, carlitox477, carrotsmuggler, crypticdefense, eeshenggoh, fyamf, gesha17, gjaldon, grearlake, guhu95, honey-k12, hunter_w3b, ilchovski, josephdara, kinda_very_good, lanrebayode77, m_Rassska, maxim371, mt030d, mussucal, oakcobalt, p0wd3r, peanuts, rbserver, shui, siguint, t0x1c, tapir, twcctop, ustazz, xg, zhaojohnson, zigtur, zzykxx

Awards

0.0026 USDC - $0.00

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
:robot:_56_group
duplicate-28

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/RestakeManager.sol#L299-L321

Vulnerability details

Impact

Use incorrect loop index to calculate the tvl. This will cause inaccurate tvl value.

Proof of Concept

In RestakeManager::calculateTVLs(), the function will calculate tvls from all operator delegators and deposit queues, withdraw queues. When the function calculates withdraw queues' token values, it uses collateralTokens[i] and collateralTokens[j].balanceOf(withdrawQueue), this is incorrect. We should use the same collateral and same collateral's amount to calculate tvl. In one word, we should change collateralTokens[i] to collateralTokens[j].

    function calculateTVLs() public view returns (uint256[][] memory, uint256[] memory, uint256) {
            ...
            for (uint256 j = 0; j < tokenLength; ) {
                // Get the value of this token
                uint256 operatorBalance = operatorDelegators[i].getTokenBalanceFromStrategy(
                    collateralTokens[j]
                );
                // Set the value in the array for this OD
                operatorValues[j] = renzoOracle.lookupTokenValue(
                    collateralTokens[j],
                    operatorBalance
                );
                // Add it to the total TVL for this OD
                operatorTVL += operatorValues[j];
                // record token value of withdraw queue
                if (!withdrawQueueTokenBalanceRecorded) {
                    totalWithdrawalQueueValue += renzoOracle.lookupTokenValue(
              @==>      collateralTokens[i],
                        collateralTokens[j].balanceOf(withdrawQueue)
                    );
                }
                unchecked {
                    ++j;
                }
            }

Tools Used

Manual

Change collateralTokens[i] to collateralTokens[j].

Assessed type

Error

#0 - c4-judge

2024-05-16T10:26:53Z

alcueca marked the issue as satisfactory

#1 - c4-judge

2024-05-16T10:38:47Z

alcueca changed the severity to 2 (Med Risk)

#2 - c4-judge

2024-05-16T10:39:08Z

alcueca changed the severity to 3 (High Risk)

#3 - c4-judge

2024-05-20T04:26:26Z

alcueca changed the severity to 2 (Med Risk)

#4 - c4-judge

2024-05-23T13:47:20Z

alcueca changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: GalloDaSballo

Also found by: 0xabhay, GoatedAudits, SBSecurity, d3e4, jokr, p0wd3r, peanuts, zhaojohnson

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sponsor disputed
sufficient quality report
:robot:_primary
:robot:_57_group
duplicate-13

Awards

100.9059 USDC - $100.91

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-04-renzo/blob/519e518f2d8dec9acf6482b84a181e403070d22d/contracts/Oracle/RenzoOracle.sol#L71-L81

Vulnerability details

Impact

Chainlink price's update will cause the whole tvl's change. The whole tvl value's change will cause share price's change.

Proof of Concept

Depositors will earn profit when the share price increases. When chainlink updates the related feeds, the whole tvl will change because collateral token's price changes. Let's take stETH/ETH as one example. stETH/ETH feed's deviation threshold is 0.5%. It means tvl's value can increase 0.5% in one block in some extreme condition. This will be one possible arbitrage chance.

Possible arbitrage attack vector:

  • Alice deposits collateral tokens into renzo by frontrun.
  • Chainlink update stETH/ETH feed. For example, the feed's price increase 0.5% compared with last update. Now the whole tvl will increase because of stETH/ETH price increase. For example, the whole tvl increase 0.2%.
  • Alice withdraw her shares with the increased price.
    function lookupTokenValue(IERC20 _token, uint256 _balance) public view returns (uint256) {
        AggregatorV3Interface oracle = tokenOracleLookup[_token];
        if (address(oracle) == address(0x0)) revert OracleNotFound();

        (, int256 price, , uint256 timestamp, ) = oracle.latestRoundData();
        if (timestamp < block.timestamp - MAX_TIME_WINDOW) revert OraclePriceExpired();
        if (price <= 0) revert InvalidOraclePrice();

        // Price is times 10**18 ensure value amount is scaled
        return (uint256(price) * _balance) / SCALE_FACTOR;
    }

Tools Used

Manual

Consider to lock a period for the deposit to avoid the arbitrage.

Assessed type

Timing

#0 - jatinj615

2024-05-14T14:26:09Z

Expected Behaviour. As the arbitrage opportunity comes with a cost of locking funds for specified coolDownPeriod in which it won't be earning any rewards. Therefore, 1 day reward share is comparatively low against loosing 7 days rewards.

#1 - C4-Staff

2024-05-15T14:45:03Z

CloudEllie marked the issue as primary issue

#2 - c4-judge

2024-05-17T13:41:43Z

alcueca changed the severity to 3 (High Risk)

#3 - alcueca

2024-05-17T13:42:29Z

TVL changes being front-run is profitable because of pricing withdrawals at beginning of cooldown.

#4 - c4-judge

2024-05-17T13:42:45Z

alcueca marked the issue as duplicate of #326

#5 - c4-judge

2024-05-17T13:42:48Z

alcueca marked the issue as satisfactory

#6 - c4-judge

2024-05-28T04:30:32Z

alcueca marked the issue as not a duplicate

#7 - c4-judge

2024-05-28T04:32:36Z

alcueca marked the issue as duplicate of #424

#8 - d3e4

2024-05-28T08:46:32Z

@alcueca I don't think this is a duplicate of #424, nor that it is valid in itself. This talks only about exploiting a sudden price increase of the oracle. But this is just how oracles work; they have to update their prices in discrete steps. This report simply describes depositing when low and withdrawing when high, i.e. a normal trade and expected behaviour. The point of #424 is to exploit a price deviation (not an update) on two different underlying assets, which is not mentioned by this report.

#9 - c4-judge

2024-05-28T10:51:53Z

alcueca marked the issue as not a duplicate

#10 - c4-judge

2024-05-28T10:51:57Z

alcueca marked the issue as primary issue

#11 - c4-judge

2024-05-28T10:56:09Z

alcueca marked the issue as duplicate of #424

#12 - alcueca

2024-05-28T10:57:18Z

Selected #424 as best. There isn't a significant difference in the root cause, as this finding is only profitable if the ezETH value depends on anything more than just the asset whose price change is being frontrun.

#13 - c4-judge

2024-05-30T06:15:53Z

alcueca marked the issue as duplicate of #13

#14 - c4-judge

2024-05-30T06:29:09Z

alcueca changed the severity to 2 (Med Risk)

#15 - c4-judge

2024-05-30T19:19:57Z

alcueca marked the issue as not a duplicate

#16 - c4-judge

2024-05-30T19:22:10Z

alcueca marked the issue as duplicate of #13

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter