Assessment reportsPublic findings
Back to Zellic site
Assessment reports>EtherFi>Medium findings>The BNFT holder is compared with an incorrect address
GeneralOverview
Findings
Critical (5)
High (1)
Medium (3)BNFT holder is compared with an incorrect addressQueued withdrawals are not claimed by `forcePartialWithdraw`Deposit cancellation may fail
Low (1)
Informational (1)
DiscussionUnused variables could be removed
Threat ModelWhat are threat models?EtherFiNode.solEtherFiNodesManager.solLiquidityPool.solStakingManager.sol
Audit ResultsSummary
Category: Coding Mistakes

The BNFT holder is compared with an incorrect address

Medium Severity
Medium Impact
Medium Likelihood

Description

The function batchDepositWithLiquidityPoolAsBnftHolder could be called in the LiquidityPool contract when isLpBnftHolder is true. If isLpBnftHolder is true, the LiquidityPool is expected to be the owner of the new BNFT and the BNFT of the validator ID to share the safe with.

But internally in the _processDeposit function, it checks if the owner of the BNFT with ID _validatorIdToShareWithdrawalSafe is equal to the _staker instead of LiquidityPool.

Impact

The function batchDepositWithLiquidityPoolAsBnftHolder would revert if a nonzero _validatorIdToShareWithdrawalSafe is passed to it because of incorrect owner check.

Recommendations

We recommend passing the address of LiquidityPool as the BNFT holder and comparing the owner of _validatorIdToShareWithdrawalSafe with this address.

Remediation

This issue has been acknowledged by EtherFi, and a fix was implemented in commit 010bd4b7.

Zellic © 2025Back to top ↑