Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Omni AVS>High findings>Share for unsupported strategy of operator triggers infinite loop in ,_getSelfDelegations
GeneralOverview
Findings
High (2)Infinite loop in `_getSelfDelegations`Minimum staking is only checked in registration
Medium (1)
Informational (1)
DiscussionEigenLayer is being actively developed
Threat ModelWhat are threat models?Omni.solOmniAVS.sol
Audit ResultsSummary
Category: Coding Mistakes

Share for unsupported strategy of operator triggers infinite loop in _getSelfDelegations

High Severity
High Impact
Medium Likelihood

Description

OmniAVS calculates the personal stake amount and delegated stake amount of an operator separately. To calculate an operator's personal stake amount, OmniAVS fetches the delegatable shares of an operator, which is fully delegated to the operator by the design of EigenLayer. Following is the code of the function _getSelfDelegations for this behavior:

function _getSelfDelegations(address operator) internal view returns (uint96) {
    (IStrategy[] memory strategies, uint256[] memory shares) = _delegationManager.getDelegatableShares(operator);

    uint96 staked;
    for (uint256 i = 0; i < strategies.length;) {
        IStrategy strat = strategies[i];

        // find the strategy params for the strategy
        StrategyParam memory params;
        for (uint256 j = 0; j < _strategyParams.length;) {
            if (address(_strategyParams[j].strategy) == address(strat)) {
                params = _strategyParams[j];
                break;
            }
            unchecked {
                j++;
            }
        }

        // if strategy is not found, do not consider it in stake
        if (address(params.strategy) == address(0)) continue;

        staked += _weight(shares[i], params.multiplier);
        unchecked {
            i++;
        }
    }

    return staked;
}

The function is implemented using a nested for loop; the outer loop iterates over the strategies of the operator, and the inner loop iterates over the strategy/strategies registered in OmniAVS.

If a strategy of an operator is not registered in OmniAVS, it continues the outer loop. However, because i is not incremented, the loop iterates for the same strategy again. This leads to an infinite loop.

Impact

If an operator deposits to the strategy unsupported in OmniAVS, _getOperators would run indefinitely instead of returning the result. This makes syncing the list of operators impossible until the operator withdraws from the strategy or is manually ejected.

Recommendations

Consider refactoring the logic to prevent the outer loop from getting stuck in an unsupported strategy.

Remediation

This issue has been acknowledged by Omni Network, and a fix was implemented in commit fc19c261.

This finding was brought to our attention by Omni Network prior to the official report being submitted.

Zellic © 2025Back to top ↑