Assessment reportsPublic findings
Back to Zellic site
Assessment reports>EtherFi>Critical findings>ETH sent to wrong address on cancellation
GeneralOverview
Findings
Critical (5)Repeated validator IDs, `batchRevertExitRequest`ETH sent to wrong address on cancellationRepeated validator IDs, `batchSendExitRequest`BNFT holder could cancel the depositMalicious users could mint themselves NFTs
High (1)
Medium (3)
Low (1)
Informational (1)
DiscussionUnused variables could be removed
Threat ModelWhat are threat models?EtherFiNode.solEtherFiNodesManager.solLiquidityPool.solStakingManager.sol
Audit ResultsSummary
Category: Coding Mistakes

ETH sent to wrong address on cancellation

Critical Severity
Critical Impact
Medium Likelihood

Description

This bug was independently discovered by the EtherFi team and they presented us the fix which we reviewed. Here are the details of the issue:

When isLpBnftHolder is true, the LiquidityPool is the bnft holder. In this case, if the deposit is cancelled, the 2 ETH belonging to the LiquidityPool(which is also the bnft holder), shouldn't be sent out to the _bnftStaker, but instead should remain in the LiquidityPool.

Impact

ETH are sent to the wrong address when LiquidityPool is the bnft holder.

Recommendations

The tokens shouldn't be sent to the _bnftStaker in case isLpBnftHolder is true.

Remediation

This issue has been acknowledged by EtherFi, and a fix was implemented in commit 3d2b1037.

Zellic © 2025Back to top ↑