Assessment reportsPublic findings
Back to Zellic site
Assessment reports>EtherFi>Medium findings>Deposit cancellation may fail if the etherFiNode version is not updated
GeneralOverview
Findings
Critical (5)
High (1)
Medium (3)BNFT holder is compared with an incorrect addressQueued withdrawals are not claimed by `forcePartialWithdraw`Deposit cancellation may fail
Low (1)
Informational (1)
DiscussionUnused variables could be removed
Threat ModelWhat are threat models?EtherFiNode.solEtherFiNodesManager.solLiquidityPool.solStakingManager.sol
Audit ResultsSummary
Category: Coding Mistakes

Deposit cancellation may fail if the etherFiNode version is not updated

Medium Severity
Medium Impact
Low Likelihood

Description

The functions batchCancelDeposit and batchCancelDepositAsBnftHolder do not call _updateEtherFiNode to update the etherFiNode version. These functions internally call unRegisterValidator in etherFiNode, which has a modifier ensureLatestVersion to ensure that the version of the etherFiNode is not zero, but as _updateEtherFiNode is never called, the version would be zero, and this call would revert.

Impact

The functions batchCancelDeposit and batchCancelDepositAsBnftHolder might revert if the version is still zero.

Recommendations

We recommend calling _updateEtherFiNode in the batchCancelDeposit / batchCancelDepositAsBnftHolder functions or internally before EtherFiNode.sol:unRegisterValidator is called.

Remediation

This issue has been acknowledged by EtherFi, and a fix was implemented in commit 405b37cc.

Zellic © 2025Back to top ↑