toshiSat
commented
11 months ago Will add check for zero amounts
Open c4-submissions opened 11 months ago
toshiSat
commented
11 months ago Will add check for zero amounts
toshiSat
commented
11 months ago I cannot label this one for some reason, but this feels like a Low priority and confirming
c4-judge
commented
10 months ago 0xleastwood marked the issue as confirmed for report
c4-judge
commented
10 months ago 0xleastwood marked the issue as satisfactory
c4-judge
commented
10 months ago 0xleastwood marked the issue as not confirmed for report
c4-judge
commented
10 months ago 0xleastwood marked the issue as confirmed for report
c4-judge
commented
10 months ago 0xleastwood marked the issue as nullified
c4-judge
commented
10 months ago 0xleastwood marked the issue as not confirmed for report
c4-judge
commented
10 months ago 0xleastwood marked the issue as not nullified
c4-judge
commented
10 months ago 0xleastwood marked the issue as satisfactory
Lines of code
Vulnerability details
Mitigation of H-02: Issue mitigated with ERROR
Mitigated issue
H-02: Zero amount withdrawals of SafEth or Votium will brick the withdraw process
The issue was that withdrawing afEth might imply a withdrawal of 0 safEth or vAfEth, which reverts.
Mitigation review
In the case of withdrawing 0 safEth, the call to SafEth.unstake() is now skipped in AfEth.withdraw(). In the case of withdrawing 0 vAfEth,
AfEth.requestWithdraw()still callsVotiumStrategy.requestWithdraw(0). When finalizing the withdrawal withAfEth.withdraw(), which callsVotiumStrategy.withdraw(), a check is made to only callsellCvx()with nonzero amounts. The request and withdrawal will thus not revert.Mitigation error
Since a
VotiumStrategy.requestWithdraw(0)is still placed, this queues it to the end of all previous withdrawal requests (as if an infinitesimal amount is to be withdrawn), incurring an artificially prolonged withdrawal time.