The standard rewards distribution process (as recommended by the CLI) fails, resulting in gas loss for the AVS manager.
Vulnerability Details
The OperatorDirectedRewardsSubmission struct submitted to EigenLayer undergoes validation, and the transaction will revert if any validation rules are not satisfied.
One critical rule is that the operator addresses must be in ascending order. In the AttestationCenter contract, the requestEigenBatchPayment function sorts the operators list obtained from _collectEligibleOperators. However, this list may include trailing items with a zero address, representing empty operators.
For this to happen, some operators in the queried range must meet certain conditions:
_details.operator == address(0) ||
_details.paymentStatus != PaymentStatus.REDEEMED ||
_details.lastPaidTaskNumber <= _taskNumber ||
_details.feeToClaim == 0Subsequently, this list is forwarded to the AVSGovernance contract, which passes it to EigenLayer’s RewardsCoordinator. The transaction reverts because the zero addresses appear at the end of the list and are considered smaller than the actual operator addresses.
Impact
MEDIUM – The standard rewards distribution process (as recommended by the CLI) fails, resulting in gas loss for the AVS manager.
Recommendation
Truncate the list of rewarded operators to eliminate empty items.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
