Description

Once the node's exit and funds withdrawal from Beacon is observed, the protocol calls processNodeExit to process their exits. This function updates the phase of the validator to EXITED. To fully withdraw the funds, the function fullWithdraw could be called, which burns the two NFTs and distributes the payouts to all the entities. However, a BNFT holder could call batchCancelDeposit on the validator ID, which would transfer the BNFT holder 2 ETH, assuming there is enough ETH in the liquidity pool and numPendingDeposits is greater than one. This call to batchCancelDeposit would change the phase of the validator from EXITED to FULLY_WITHDRAWN and would delete the etherfiNodeAddress mapping.

Later, if fullWithdraw is called on that validator ID, the call would revert.

Impact

A BNFT holder could get the entire 2 ETH even after penalty and could block the withdrawals of other entities for that validator ID.

Recommendations

The underlying issue was due to the function _unRegisterValidator, which handled the phase transition for both canceled deposits and withdrawals. We recommend separating these phase transitions for these different functionalities.

Remediation

This issue has been acknowledged by EtherFi, and a fix was implemented in commit 04ba6239↗.