Withdrawal amount calculation timing causes yield leakage and asset imbalance #466
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-282
🤖_45_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
howlbot-integration
bot
added
2 (Med Risk)
|
CloudEllie marked the issue as duplicate of #467 |
c4-judge
added
the
satisfactory
|
alcueca marked the issue as satisfactory |
c4-judge
added
3 (High Risk)
|
alcueca changed the severity to 3 (High Risk) |
|
alcueca marked the issue as duplicate of #326 |
|
alcueca marked the issue as not a duplicate |
|
alcueca marked the issue as duplicate of #282 |
|
While this issue doesn't reveal the reverts caused by decreasing stEth balances in an slashing event, it does correctly point out that stETH shouldn't be treated as non-rebasing LSTs in the withdrawal queue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Withdraw/WithdrawQueue.sol#L217-L233
https://github.com/code-423n4/2024-04-renzo/blob/main/contracts/Withdraw/WithdrawQueue.sol#L305-L308
Vulnerability details
Cause
The
WithdrawQueuecontract calculates the withdrawal redemption amount at the time of the withdrawal request but pays out the amount at the time of the claim.Impact
For accruing LSTs, this means that yield that can be accrued for ezETH holders, is instead accrued to withdrawals, and lost to the protocol.
This will also create an imbalance in deposit and withdrawal flows because users will prefer to redeem in accruing tokens to avoid losing 7 days of yield.
This, in turn, will skew the asset composition, causing the protocol to accumulate rebasing LSTs over time to reach their TVL cap and revert on subsequent deposits. This will result in an ongoing DoS of deposits for these assets.
While it's possible to keep increasing TVL caps for rebasing LSTs, it is unlikely to be a long term solution, because would not be responsible risk management and would reduce asset diversification.
Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Calculate the redemption from ezETH to ETH value at the withdrawal request time, but calculate the final LST amount at claim time for all assets. This will keep the ETH value of a withdrawal fixed for the duration of the delay and divert the yield earned to the ezETH holders.
Alternatively, allow the admin to rebalance the asset mixture by swapping assets withdrawn from Eigenlayer before transferring them to the
WithdrawQueue.function withdraw(uint256 _amount, address _assetOut) external nonReentrant { ... // Calculate amount to Redeem in ETH uint256 amountToRedeem = renzoOracle.calculateRedeemAmount( _amount, ezETH.totalSupply(), totalTVL ); - // update amount in claim asset, if claim asset is not ETH - if (_assetOut != IS_NATIVE) { - // Get ERC20 asset equivalent amount - amountToRedeem = renzoOracle.lookupTokenAmountFromValue( - IERC20(_assetOut), - amountToRedeem - ); } function claim(uint256 withdrawRequestIndex) external nonReentrant { ... WithdrawRequest memory _withdrawRequest = withdrawRequests[msg.sender][ withdrawRequestIndex ]; + // update amount in claim asset, if claim asset is not ETH + if (_withdrawRequest.collateralToken != IS_NATIVE) { + // Get ERC20 asset equivalent amount + _withdrawRequest.amountToRedeem = renzoOracle.lookupTokenAmountFromValue( + IERC20(_withdrawRequest.assetOut), + _withdrawRequest.amountToRedeem + ); }Assessed type
Other
The text was updated successfully, but these errors were encountered: