Assessment reportsPublic findings
Back to Zellic site
Assessment reports>EtherFi>Threat Model>batchDepositWithLiquidityPoolAsBnftHolder
GeneralOverview
Findings
Critical (5)
High (1)
Medium (3)
Low (1)
Informational (1)
DiscussionUnused variables could be removed
Threat ModelWhat are threat models?EtherFiNode.solEtherFiNodesManager.sol
LiquidityPool.solbatchDepositAsBnftHolderbatchDepositWithLiquidityPoolAsBnftHolder
StakingManager.sol
Audit ResultsSummary

Function: batchDepositWithLiquidityPoolAsBnftHolder(uint256[] _candidateBidIds, uint256 _numberOfValidators, uint256 _validatorIdToShareSafeWith)

Batch deposit with the liquidity pool as the BNFT holder.

Inputs

  • _candidateBidIds

    • Control: Fully controlled by the caller.

    • Constraints: No specific constraints mentioned.

    • Impact: Determines the validators to be used for the deposit.

  • _numberOfValidators

    • Control: Fully controlled by the caller.

    • Constraints: No specific constraints mentioned.

    • Impact: Affects the number of validators to be spun up.

  • _validatorIdToShareSafeWith

    • Control: Fully controlled by the caller.

    • Constraints: No specific constraints mentioned.

    • Impact: Specifies the validator to share the withdrawal safe with.

Branches and code coverage

Intended branches

  • Calls batchDepositWithBidIds on the staking manager and returns the funds to the caller for bids that are already taken.

Negative behavior

  • Revert if the caller is not a registered BNFT holder.

  • Revert if the balance of the pool is not enough to cover the staking.

  • Revert if the msg.value passed to the function is not equal to _numberOfValidators * _stakerDepositAmountPerValidator; _stakerDepositAmountPerValidator is 0 for this function, so msg.value should be 0, too.

Function call analysis

  • this._batchDeposit(_candidateBidIds, _numberOfValidators, 0, _validatorIdToShareSafeWith) -> this.stakingManager.batchDepositWithBidIds(_candidateBidIds, _numberOfValidators, msg.sender, SourceOfFunds.EETH, this.restakeBnftDeposits, _validatorIdToShareSafeWith)

    • What is controllable? _candidateBidIds , _numberOfValidators, and _validatorIdToShareSafeWith.

    • If the return value is controllable, how is it used and how can it go wrong? The return value is not directly controllable by the caller and represents the array of bids that were successfully processed.

    • What happens if it reverts, reenters or does other unusual control flow? If this call reverts, it indicates a failure in the deposit process; no reentrancy scenario is expected.

Zellic © 2025Back to top ↑