fix: native restaking withdrawal checks could be bypassed

[adu-web3]

Description

closes: #84

the solution is simple, before sending the withdrawal request to Exocore in LSTRestakingController.withdrawPrincipalFromExocore, we try to get corresponding vault for the specified token. If we could get the vault, the token cannot be VIRTUAL_STAKED_ETH_ADDRESS.

Simply checking that the token being not equal to VIRTUAL_STAKED_ETH_ADDRESS is also a good approach, but _getVault could guarantee not only the token is LST token but also the vault exists

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Enhanced security measures for token withdrawals, preventing unauthorized access to natively staked ETH.
  • Introduced a new contract for improved testing of withdrawal scenarios, ensuring robust handling of edge cases.

• Bug Fixes

  • Improved clarity and consistency in contract naming conventions to adhere to best practices.

• Documentation

  • Added comments to clarify conditions for vault deployments related to natively staked ETH, enhancing code readability.
  • Introduced a new error type for better handling of vault deployment scenarios involving natively staked ETH.

[coderabbitai]

Walkthrough

The changes introduce enhanced security measures in the LSTRestakingController contract to prevent unauthorized withdrawals by enforcing stricter checks on the token parameter. Additionally, the test suite is expanded with a new contract for validating withdrawal scenarios, ensuring robust handling of edge cases and adherence to naming conventions.

Changes

File	Change Summary
src/core/LSTRestakingController.sol	Added logic to prevent VIRTUAL_STAKED_ETH_ADDRESS from being used if the vault can be retrieved, enhancing security against unauthorized withdrawals.
src/core/Bootstrap.sol	Introduced a conditional check to prevent vault deployment for VIRTUAL_STAKED_ETH_ADDRESS, refining token-specific handling.
src/core/ClientGatewayLzReceiver.sol	Added comments clarifying that vaults should not be deployed for VIRTUAL_STAKED_ETH_ADDRESS, improving code documentation.
src/libraries/Errors.sol	Added a new error declaration to prohibit vault deployment for VIRTUAL_STAKED_ETH_ADDRESS, enhancing error handling.
src/storage/BootstrapStorage.sol	Introduced a constant for VIRTUAL_STAKED_ETH_ADDRESS and added validation in _deployVault to prevent vault deployment for this address, improving control flow and error handling.
src/storage/ClientChainGatewayStorage.sol	Removed the constant for VIRTUAL_STAKED_ETH_ADDRESS, indicating a shift in how staked ETH is managed.
test/foundry/unit/ClientChainGateway.t.sol	Renamed withdrawNonBeaconChainETHFromCapsule to WithdrawNonBeaconChainETHFromCapsule for consistency; introduced WithdrawalPrincipalFromExocore contract with tests for various withdrawal scenarios, enhancing testing capabilities.
test/foundry/unit/Bootstrap.t.sol	Added a constant for VIRTUAL_STAKED_ETH_ADDRESS and a new test function to verify that a vault is not deployed for this address, ensuring correct handling of the virtual staked ETH scenario.

Assessment against linked issues

Objective	Addressed	Explanation
Prevent bypassing of withdrawal checks (#84)	✅

🐰 Hopping through the code, what a sight to see,
New checks and balances, as safe as can be!
With names that shine bright, and tests that are keen,
Our staking's now stronger, a well-oiled machine!
So let’s cheer for the changes, with a joyful little dance,
For security’s a treasure, and we’ve taken a chance! 🎉

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

Early access features: disabled

We are currently testing the following features in early access:

• Anthropic claude-3-5-sonnet for code reviews: Anthropic claims that the new Claude model has stronger code understanding and code generation capabilities than their previous models. Note: Our default code review model was also updated late last week. Please compare the quality of the reviews between the two models by toggling the early access feature.

Note:

• You can enable or disable early access features from the CodeRabbit UI or by updating the CodeRabbit configuration file.
• Please join our Discord Community to provide feedback and report issues on the discussion post.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (3)

src/core/LSTRestakingController.sol (1)

51-54: Security enhancement in withdrawal function.

The addition of _getVault(token); in withdrawPrincipalFromExocore function is a crucial security enhancement. It ensures that only tokens associated with a valid vault can be used, which indirectly prevents the use of VIRTUAL_STAKED_ETH_ADDRESS for unauthorized withdrawals.

The code changes are approved.

Consider adding explicit error handling if the vault is not found, to provide clearer feedback to the user:

IVault vault = _getVault(token);
require(address(vault) != address(0), "Invalid token: Vault not found");

test/foundry/unit/ClientChainGateway.t.sol (2)

Line range hint 280-354: Enhanced clarity in contract naming and comprehensive test coverage.

The renaming of the contract to WithdrawNonBeaconChainETHFromCapsule follows Solidity's convention and enhances clarity. The test scenarios cover successful withdrawals and various failure modes effectively.

The code changes are approved.

Consider adding more detailed comments for each test scenario to provide better context and understanding of the expected behaviors and conditions:

// Test to ensure successful withdrawal of non-beacon chain ETH from a capsule.
function test_success_withdrawNonBeaconChainETH() public {
    ...
}

// Test to ensure the function reverts if the capsule is not found.
function test_revert_capsuleNotFound() public {
    ...
}

---

355-408: Robust testing for new security measures in withdrawal scenarios.

The WithdrawalPrincipalFromExocore contract provides comprehensive testing for the new security measures. It ensures that the withdrawal logic is robust and handles edge cases appropriately, such as whitelisting checks and zero amount withdrawals.

The code changes are approved.

Enhance the clarity of test descriptions to better convey the purpose and expected outcomes of each test:

// Test to ensure the function reverts when attempting to withdraw a non-whitelisted token.
function test_revert_withdrawNonWhitelistedToken() public {
    ...
}

// Test to ensure the function reverts when attempting to withdraw zero amount.
function test_revert_withdrawZeroAmount() public {
    ...
}

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 0a2fa70 and ab6ffca.

Files selected for processing (2)

• src/core/LSTRestakingController.sol (1 hunks)
• test/foundry/unit/ClientChainGateway.t.sol (3 hunks)

[adu-web3]

in this new commit, we forbid deploying vault for VIRTUAL_STAKED_ETH_ADDRESS, so that whether for Bootstrap or ClientChainGateway, there is no possibility that a vault is deployed for VIRTUAL_STAKED_ETH_ADDRESS.

We should forbid deploying vault for VIRTUAL_STAKED_ETH_ADDRESS because this could lead to bypassing the native restaking withdrawal checks

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between ab6ffca and 3f6719d.

Files selected for processing (6)

• src/core/Bootstrap.sol (1 hunks)
• src/core/ClientGatewayLzReceiver.sol (1 hunks)
• src/libraries/Errors.sol (1 hunks)
• src/storage/BootstrapStorage.sol (3 hunks)
• src/storage/ClientChainGatewayStorage.sol (1 hunks)
• test/foundry/unit/Bootstrap.t.sol (2 hunks)

Files skipped from review due to trivial changes (2)

• src/core/ClientGatewayLzReceiver.sol
• src/storage/ClientChainGatewayStorage.sol

Additional comments not posted (7)

src/libraries/Errors.sol (1)

210-211: LGTM!

The new error declaration ForbidToDeployVault is a valuable addition to the Errors library. It follows the naming convention, is placed in the appropriate location, and has a clear error message. This error will enhance the error handling capabilities of the library and improve the clarity of the code when dealing with vault deployments related to staked ETH.

src/storage/BootstrapStorage.sol (3)

8-9: LGTM!

The import statement for the Errors library is necessary and looks good.

---

151-152: LGTM!

The constant VIRTUAL_STAKED_ETH_ADDRESS is defined correctly and serves a clear purpose in the contract.

---

343-345: LGTM!

The if statement correctly prevents deploying vaults with the VIRTUAL_STAKED_ETH_ADDRESS token, enhancing the contract's security.

src/core/Bootstrap.sol (1)

198-200: LGTM!

The added conditional check is necessary to prevent deploying a vault for the virtual token address representing natively staked ETH. It ensures that the vault deployment logic is skipped for this specific token, while allowing it for other tokens that don't have a vault yet.

test/foundry/unit/Bootstrap.t.sol (2)

68-68: LGTM!

The constant VIRTUAL_STAKED_ETH_ADDRESS is correctly defined and will be useful for handling the specific case related to the virtual token in the test suite.

---

180-192: LGTM!

The test test02_VaultNotDeployedForNativeStakedETH is correctly implemented and verifies that a vault is not deployed for the virtual staked ETH address. This improves the robustness of the contract by ensuring that the system correctly identifies and handles the virtual staked ETH scenario.

[coderabbitai]

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 3f6719d and 2da9b46.

Files selected for processing (1)

• test/mocks/NonShortCircuitEndpointV2Mock.sol (1 hunks)

Files skipped from review due to trivial changes (1)

• test/mocks/NonShortCircuitEndpointV2Mock.sol

[bwhour]

LGTM