# [2023-04-EigenLayer] Presorting **Contest repo:** https://github.com/code-423n4/2023-04-eigenlayer **Findings repo:** https://github.com/code-423n4/2023-04-eigenlayer-findings **Judging by:** [Alex the Entreprenerd](https://twitter.com/GalloDaSballo) (Discord: `Alex The Entreprenerd#5686`) **Pre-sorting by:** [sorryNotsorry](https://twitter.com/0xSorryNotSorry) (Discord: `sorryNotsorry#1586`) # High Severity Primary Submissions (27) ## [[H-457] The length of proofs.slotProof is not checked in the verifyWithdrawalProofs function, allowing a malicious EigenPod Owner to be issued only shares via StrategyManager and withdraw all their money](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/457) ## [[H-437] Staker can bypass the debt accrued via `beaconChainETHSharesToDecrementOnWithdrawal` by transferring shares to another address](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/437) ## [[H-432] STRATEGYMANAGER.SOL CONTRACT OWNER COULD BE DEPRIVED OF A SLASH](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/432) ## [[H-420] [H-02] Owner cannot freeze and thus cannot slash a queued withdraw that has the `delegatedAddress` being the `0` address.](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/420) ## [[H-409] verifyWithdrawalCredentialsAndBalance does not verify that oracleBlockNumber is the latest block number.](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/409) ## [[H-404] Queued withdrawals are not treated correctly when a slash occurs, leading to loss of user funds](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/404) ## [[H-388] Slot and block number proofs not required for verification of withdrawal (multiple withdrawals possible)](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/388) ## [[H-387] A Malicious validator can frontrun 32ETH deposit](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/387) ## [[H-377] Users can queue a withdrawal and potentially withdraw completely if ```PAUSED_EIGENPODS_VERIFY_OVERCOMMITTED = false```](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/377) ## [[H-374] Attacker can operate as a staker/operator on eigenLayer without risking any funds](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/374) ## [[H-370] Attacker can make his stake immune to `verifyOvercommittedStake`.](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/370) ## [[H-348] Staker can avoid ETH slash by front run slashShares() with verifyOvercommittedStake()](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/348) ## [[H-294] User with Beacon ETH Strategy that delegate his shares can completely avoid slash event](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/294) ## [[H-287] `withdrawBeforeRestaking()` can't be called in case of second stake with different validator and can cause ether balance to stuck](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/287) ## [[H-260] ETH could get stuck in contract EigenPod irretrievable by anyone](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/260) ## [[H-210] Stakers could dodge slashing when their delegated operator has been frozen due to missing `onlyNotFrozen` visibility on key functions in StrategyManager.sol](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/210) ## [[H-206] `EigenPod` does not have a way to receive Ether for users to perform the withdrawals](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/206) ## [[H-205] It is impossible to slash queued withdrawals that contain a malicious strategy due to a misplacement of the ++i increment](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/205) ## [[H-196] A user's funds cannot be slashed if user were frozen during the withdrawal waiting period.](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/196) ## [[H-193] Share issuance by `StrategyBase` can be manipulated to lock stakers' funds](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/193) ## [[H-192] The threat of user funds if ZERO_ADDRESS is frozen](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/192) ## [[H-172] Slashing a pod owner with debt will reduce their debt instead of increasing it](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/172) ## [[H-132] A malicious strategy can permanently DoS all currently pending withdrawals that contain it](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/132) ## [[H-57] `EigenPod.sol#verifyWithdrawalCredentialsAndBalance` function signature can be replayed to get more shares](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/57) ## [[H-45] slasher cannot retrieve `QueueWithdrawal` struct parameters](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/45) ## [[H-34] missing '= ' in the code](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/34) ## [[H-21] Inconsistency in withdrawal completion and slashing conditions](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/21) # Medium Severity Primary Submissions (64) ## [[M-455] Loss of funds on deposit when `totalShares > 0 && priorTokenBalance == 0`](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/455) ## [[M-453] `StrategyBase.explanation()` cannot be overridden to intended mutability](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/453) ## [[M-452] `StrategyBase.underlyingToShares()` cannot be overridden to intended mutability](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/452) ## [[M-450] `StrategyBase.sharesToUnderlying()` cannot be overridden to intended mutability](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/450) ## [[M-441] freezeOperator will not be able to freeze an operator](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/441) ## [[M-438] Assuming a 1-1 peg of Liquid Staked Tokens like stETH and rETH to ETH is dangerous](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/438) ## [[M-434] Measuring the withdrawal delay in block production time won't work properly on chains where the production time is not 12 seconds](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/434) ## [[M-433] The values for `strategyIndexes` are not enforced](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/433) ## [[M-431] The value of `MAX_WITHDRAWAL_DELAY_BLOCKS` is constant which shouldn't be](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/431) ## [[M-430] `expiry` should be > `block.timestamp()` rather then >=](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/430) ## [[M-415] `isContract()` is not a reliable way of checking if the input is an EOA](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/415) ## [[M-410] Depositors risk losing funds through StrategyManager.depositIntoStrategyWithSignature()](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/410) ## [[M-400] UNCLEARED DEBT COULD HAVE ETH NOT WITHDRAWABLE FROM EIGENPOD.SOL](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/400) ## [[M-384] withdrawal amount should be greater than the REQUIRED_BALANCE_GWEI](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/384) ## [[M-364] Missing lower boundary check on queueWithdrawal() could disrupt/deny slashQueuedWithdrawal()](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/364) ## [[M-363] Signature Replay possible in `depositIntoStrategyWithSignature` method](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/363) ## [[M-361] Setting the `underlyingToken` to a token with low decimal precision and high value may lose too much value or reduce the willingness of users to participate, because the value of MIN_NONZERO_TOTAL_SHARES is fixed at 1e9](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/361) ## [[M-352] Serivces can widely disable ETH restaking by tricking stakers reach MAX_STAKER_STRATEGY_LIST_LENGTH(32)](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/352) ## [[M-343] No slippage protection when depositing funds into strategies](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/343) ## [[M-338] StrategyManager.slashQueuedWithdrawal might not work as expected](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/338) ## [[M-325] Funds stuck because cannot add a strategy while completing withdrawal](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/325) ## [[M-322] Existing depositors can re-deposit their funds into frozen strategies](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/322) ## [[M-318] User can loose shares and funds if the token transfer fails while withdrawing](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/318) ## [[M-310] Lack of validation to check whether or not the user's funds would be remained in the underlying protocol, which lead to that user's funds will be stuck unless the strategy will be added again by the StrategyWhitelister](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/310) ## [[M-306] Lack of minimum value check for token deposit strategy make slashShares function prone to DoS](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/306) ## [[M-304] Delegator can be a single point of failure that make all delegatees' assets temporarily stuck](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/304) ## [[M-303] Frozen stakers still can withdraw their fund if they create withdraw queue before being frozen](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/303) ## [[M-301] _removeStrategyFromStakerStrategyList() maybe revert with array index out of bounds](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/301) ## [[M-300] queueWithdrawal() strategyIndexes May not work properly](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/300) ## [[M-293] Immutable variables are not immutable](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/293) ## [[M-290] ERC20 of Revert on Large Approvals & Transfers tokens may get stuck](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/290) ## [[M-259] StrategyManager.slashShares() could end up sending less or zero ETH to recipient](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/259) ## [[M-256] StrategyManager.slashShares() and EigenPod._processPartialWithdrawal() could clash into each other in _sendETH()](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/256) ## [[M-221] No pause modifier on EigenPod deposits can cause user deposit when withdrawals are paused](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/221) ## [[M-211] Popping an element from the array of mappings `stakerStrategyList` does not actually happen using pop()](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/211) ## [[M-209] `queueWithdrawal` can be spammed by anyone without making a deposit](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/209) ## [[M-208] claimableUserDelayedWithdrawals returns the wrong number of claimable withdrawals](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/208) ## [[M-207] Adversary can prevent the last user of an `StrategyBase` strategy from withdrawing their entire position](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/207) ## [[M-199] Frozen staker still could deposit into the protocol](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/199) ## [[M-197] The reducing eth of an inactive validator cannot be reflected through verifyOvercommittedStake](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/197) ## [[M-188] _depositIntoStrategy() transfer tokens from wrong address](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/188) ## [[M-187] Missing `msg.sender` field in signature for deposit action](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/187) ## [[M-166] The recipient address is not checked](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/166) ## [[M-162] StrategyManager.sol: Using `IERC20[] calldata tokens ` could be dangerous when a weird token exists in the provided array and could erupt unexpected behaviour of execution](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/162) ## [[M-158] Merkle.merkleizeSha256() could revert due to out of gas when the vouchees array size is large](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/158) ## [[M-152] Inaccurate definition of DOMAIN_TYPEHASH](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/152) ## [[M-128] Operator could turn malicious right before `Slasher.contractCanSlashOperatorUntilBlock` expires](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/128) ## [[M-122] Attacker can grief withdrawals by forcing `_completeQueuedWithdrawal()` to revert](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/122) ## [[M-108] StrategyManager._completeQueuedWithdrawal allows to deposit and bypass pausing of deposit](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/108) ## [[M-106] `canClaimDelayedWithdrawal` is misleading](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/106) ## [[M-98] An attacker can disrupt the balance between `restakedExecutionLayerGwei` and ETH](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/98) ## [[M-97] verifyOvercommittedStake may DDOS](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/97) ## [[M-83] `EigenPod.hasRestaked` turns obsolete for all subsequent ETH validator creations](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/83) ## [[M-67] It is not possible to slash a fully staked EigenPod](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/67) ## [[M-63] computePhase0Eth1DataRoot always returns an incorrect Merkle tree](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/63) ## [[M-59] `EigenPod` missed access checks](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/59) ## [[M-39] Missing validation to a threshold value on full withdrawal](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/39) ## [[M-38] The condition for full withdrawals in the code is different from that in the documentation.](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/38) ## [[M-23] merkleizeSha256 doesn't work as expected](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/23) ## [[M-22] processInclusionProofKeccak does not work as expected](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/22) ## [[M-16] StrategyManager doesn't allow depositer to cancel queuedWithdrawal](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/16) ## [[M-15] Malicious actor can withdraw assets staked by other users via hash collisions](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/15) ## [[M-8] depositIntoStrategyWithSignature will fail to validate signatures from counterfactual wallets](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/8) ## [[M-7] All __GAPs have the same size, while the different contracts have a different number of storage variables. If the __GAP size isn't logical it is more difficult to maintain the code](https://github.com/code-423n4/2023-04-eigenlayer-findings/issues/7)