Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>EigenLayer DVN>Threat Model>Function: fulfillRequest(uint256 _id, IStrategy[] memory _strategies, uint256[] memory _wadsToSlash, string memory _response)
GeneralOverview
Threat ModelWhat are threat models?
1-LayerZeroSlasherFunction: queueRequest(string memory _description)Function: refundRequest(uint256 _id, string memory _response)Function: cancelRequest(uint256 _id, string memory _response)Function: fulfillRequest(uint256 _id, IStrategy[] memory _strategies, uint256[] memory _wadsToSlash, string memory _response)
2-LayerZeroAVSRegistrar
Audit ResultsAssessment Results

Function: fulfillRequest(uint256 _id, IStrategy[] memory _strategies, uint256[] memory _wadsToSlash, string memory _response)

This function executes a queued slashing request within the APPROVAL_WINDOW. Only the contract owner may call this. On success, the request is marked as fulfilled, EigenLayer slashing is executed, redistribution is cleared, and the bond is refunded to the original bonder.

Inputs

  • _id

    • Validation: The _requests associated with _id must have the status QUEUED — also requires block.timestamp <= request.expiry.

    • Impact: Transitions status to Status.FULFILLED, persists _response, and stores the associated slashId.

  • _strategies

    • Validation: Must have the same length as _wadsToSlash.

    • Impact: Forwarded to EigenLayer slashOperator as the strategies to slash.

  • _wadsToSlash

    • Validation: Must have the same length as _strategies.

    • Impact: Forwarded to EigenLayer slashOperator as the corresponding amounts to slash.

  • _response

    • Validation: None.

    • Impact: Stored in the request struct and emitted in the event.

Branches and code coverage

Intended branches

Negative behavior

Function call analysis

  • fulfillRequest -> ALLOCATION_MANAGER.slashOperator

    • External/internal? External.

    • Argument control? Caller (owner) controls _strategies and _wadsToSlash. The operator, avs, and operatorSetId are derived from AVS_REGISTRAR and contract constants — description comes from the stored request (set by the bonder).

    • Impact: Executes EigenLayer slashing and returns slashId, which is stored on the request.

  • fulfillRequest -> STRATEGY_MANAGER.clearBurnOrRedistributableShares

    • External/internal? External.

    • Argument control? None by the caller — operatorSet is derived from AVS_REGISTRAR and contract constants, and slashId is derived from the previous call slashOperator.

    • Impact: Clears burn or redistributable shares for the operator set and slashId.

  • fulfillRequest -> safeTransfer

    • External/internal? External.

    • Argument control? to is the stored bonder and amount is the stored bondAmount — both controlled by the bonder when the request was queued.

    • Impact: Refunds the bond to the bonder upon successful fulfillment.

Zellic © 2025Back to top ↑