Danoctavian/sc 1162/implement generalized withdrawal queue manager

[danoctavian]

No description provided.

[danoctavian]

can skip this file for now we're probably not going to include this in this release

[danoctavian]

this permissioned potentially can be improved.

Gives full control currently for allocating funds back into pool vs withdrawal. This is the most flexible from our PoV.

Some potential changes:

make it supply ETH to withdrawal vault based on deficit
make it allocate funds for another stakingNode to better support predictably reallocation between 2 stakingNodes. (eg. move 100 validators from StakingNode 1 to StakingNode 2)

[danoctavian]

What this abstraction doesn't support is the ability to request redemption in a particular asset or set off assets (eg. i request to exit ynLSDe in sfrxETH and rETH, maybe in a certain ratio).

This is enough for ynETH -> ETH.

We can spend more time thinking about that or extended this contract with an additional function when that use case arises.

The trickiness there is availability of said assets, as you'd be able to do that, given that you don't do any rebalancing only if those assets are available in the protocol, and that requires extra tracking and ability to inspect the state of "withdrawable" array of assets at the given time of requestWithdrawal and "book" them. This is for a token like ynLSDe, doesn't really apply for this release.

[danoctavian]

looking for opinions on how to structure these tests which run off of the existing deployment better.

This is for example one use case, since for proofs tests the most straighforward way is to test the existing real deployment and leave some validators "hanging" to test against them.

[danoctavian]

we have a more general problem with tests:

Tests that execute all tests on a fresh deployment vs tests that assume the deployment is the existing deployment.

The latter is the most accurate, since we roll the upgrade for ynETH on top of the existing deployment.

"Fresh" integration tests on a fresh deployment have the advantage that we can push the system to any configuration, while the mainnet one keeps moving underneat you (may break tests randomly, won't be able to reproduce certain system states without lots of prank-ing and etching which introduce error-prone additional mutations)

[johnnyonline]

amount (uint256) cant be smaller than 0.

[johnnyonline]

Ignoring return value - use safeTransferFrom().

[johnnyonline]

++_tokenIdCounter will be more gas efficient.

[johnnyonline]

Redundant calculation, can be done once (see L166).

[johnnyonline]

At this point, we check two times that the balance is sufficient, is this necessary?

[johnnyonline]

Redundant casts. can simply call stakingNodesManager.delegationManager(). Also redundant state variable though, used only once.

[kahuna099]

yep, lets remove the above line and replace line 367 with:

fullWithdrawalRoots = stakingNodesManager.delegationManager().queueWithdrawals(params);

[johnnyonline]

Redundant casts. can simply call stakingNodesManager.delegationManager(). Also redundant state variable though, used only once.

[kahuna099]

indeed, lets simplify by removing the above line (412) and replacing line 422 with:

stakingNodesManager.delegationManager().completeQueuedWithdrawals(
    withdrawals, 
    tokens, 
    middlewareTimesIndexes, 
    receiveAsTokens
);

[johnnyonline]

Noob question - will it always revert? because receive function limits sender to delayedWithdrawalRouter.

[danoctavian]

yeah i needed to fix it up!

[johnnyonline]

Should this be payable?

[danoctavian]

correct, no

[johnnyonline]

Can use msg.sender instead of address(stakingNodesManager).

[xhad]

Just a few tests that are failing, but otherwise this seems like a very solid base heading into the audit. My suggestion is that we should lean more heavily this time and collaboratively on the offchain and admin processes to ensure we have a very reliable secure system in place. Glad to hear you're up for taking the lead, but I'm def here to help and want to assist where you think is best.

[xhad]

Has this TODO been resolved?

[danoctavian]

No, we need a Withdrawal Manager Multisig created and decide the treshold and composition of that.

[xhad]

Unused Import

[xhad]

IDelayedWithdrawRouter is unused

[xhad]

ONE_GWEI is unused

[xhad]

Q: How is the unverified staked ETH calculated?

[danoctavian]

The unverifiedStakedETH should ideally be 0 on upgrade time.

yieldnest-protocol/src/StakingNodesManager.sol

Line 400 in 4b93773

node.initializeV2(0);

We MUST ensure all validators are verified at time of upgrade to perform it as shown above.

[xhad]

I'm curious why we have HoleskyStakingNodesManager. Is this because of Eigenlayer verison difference between the networks?

[danoctavian]

Holesky has StakingNode with id with a fixed number of dangling validators by convention that remain unverified.

That number should be what the variable is initialized with and as with Mainnet, no other validators should be staked once that value is set to correspond to the beacon chain reality and on-chain reality.

For example, if we agree to have 20 unverified validators, we will initialize the unverifiedStakedETH variable with 20 * 32 ether.

[xhad]

good to remove this prior to the audit

[danoctavian]

will clean all these up and turn this into a a full PR not just draft.

[xhad]

good to remove prior to audit

[xhad]

note to remove before audit

[xhad]

space

[danoctavian]

Just a few tests that are failing, but otherwise this seems like a very solid base heading into the audit. My suggestion is that we should lean more heavily this time and collaboratively on the offchain and admin processes to ensure we have a very reliable secure system in place. Glad to hear you're up for taking the lead, but I'm def here to help and want to assist where you think is best.

Great!

[danoctavian]

there's a bug here.

if you decrease this by 32ETH, but verifyWithdrawalCredentials yields for example 0 shares, because validator was withdrawn, balance drops potentially without justification. assets may still be in the system.

[danoctavian]

there's a bug in totalAssets() as a followup to withdrawals.

What goes into witdrawal is not counted into TVL.

This is incorrect, it must be counted until the ynETH is burned.

[danoctavian]

Please pay great attention to memory layouts and that being respected when reviewed given that we use Proxy contracts for all.

[kahuna099]

just like the above and below functions include the old and new value in the event args.

[kahuna099]

this function will return true for nonexistent withdrawal requests.

If you pass in a nonexistent index, then WithdrawalRequest memory request = withdrawalRequests[index]; will return an empty WithdrawalRequest. Then isFinalized will check return block.timestamp >= request.creationTimestamp + secondsToFinalization;, which will become some-timestamp >= 0 + secondsToFianlization. And since secondsToFinalization is very very likely to be less than block.timestamp, the isFinalized check will return true, even though this withdrawal request does not exist.

fix: if (request.creationTimestamp == 0) revert WithdrawalRequestDoesNotExist(index);

[kahuna099]

look at the above comment, but it might make sense to just revert here if no withdrawal request with this id exists, instead of returning an empty WithdrawalRequest

[kahuna099]

there is nothing happening here, you are missing a revert in the if-body. Right now anybody can call processWithdrawnETH (not that that is such a big problem, but it shouldn't be allowed)

Also, just a personal preference but i think the if-condition is more readable if you write it like:

if (msg.sender != address(stakingNodesManager &&
    msg.sender != address(stakingNodesManager.redemptionAssetsVault())) {

[xhad]

Just noticed this, a minor suggestion. Perhaps we can resolve all of the compiler warnings running the test suite prior to audit.

Compiler run successful with warnings:
Warning (2519): This declaration shadows an existing declaration.
   --> test/scenarios/fork/ynETHWithdrawals.t.sol:378:9:
    |
378 |         uint256 _secondsToFinalization = ynETHWithdrawalQueueManager.MAX_SECONDS_TO_FINALIZATION() + 1;
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> test/scenarios/fork/ynETHWithdrawals.t.sol:375:76:
    |
375 |     function testSetSecondsToFinalizationSecondsToFinalizationExceedsLimit(uint256 _secondsToFinalization) public {
    |                                                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
   --> test/utils/StakingNodeTestBase.sol:139:50:
    |
139 |     function setupForVerifyAndProcessWithdrawals(uint256 nodeId, string memory path) public {
    |                                                  ^^^^^^^^^^^^^^

Warning (2072): Unused local variable.
   --> test/utils/StakingNodeTestBase.sol:224:9:
    |
224 |         uint256 unverifiedStakedETH = stakingNodeInstance.getUnverifiedStakedETH();
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^

Warning (2072): Unused local variable.
   --> test/utils/StakingNodeTestBase.sol:225:9:
    |
225 |         int256 shares = eigenPodManager.podOwnerShares(address(stakingNodeInstance));
    |         ^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
   --> test/scenarios/fork/ynETHWithdrawals.t.sol:375:76:
    |
375 |     function testSetSecondsToFinalizationSecondsToFinalizationExceedsLimit(uint256 _secondsToFinalization) public {

[danoctavian]

Question from @kahuna099

Why not withdraw
podOwnerShares[podOwner]

and have 0 params?