The completeQueuedWithdrawal() function in the OperatorDelegator contract finalizes queued withdrawals and fills the ERC20 withdrawal buffer if needed by calling the fillERC20withdrawBuffer function in the depositQueue contract. However, the fillERC20withdrawBuffer function is restricted to the RestakeManager contract due to the onlyRestakeManager modifier. Consequently, when completeQueuedWithdrawal attempts to call this function, it reverts, preventing the retrieval of funds.
The fix removes the onlyRestakeManager modifier from the fillERC20withdrawBuffer function, allowing the OperatorDelegator contract to call it without restriction.
function fillERC20withdrawBuffer(address _asset, uint256 _amount) external nonReentrant {
if (_amount == 0 || _asset == address(0)) revert InvalidZeroInput();
// safeTransfer from restake manager to this address
IERC20(_asset).safeTransferFrom(msg.sender, address(this), _amount);
// approve the token amount for withdraw queue
IERC20(_asset).safeApprove(address(withdrawQueue), _amount);
// call the withdraw queue to fill up the buffer
withdrawQueue.fillERC20WithdrawBuffer(_asset, _amount);
}
Conclusion
Removing the onlyRestakeManager modifier from the fillERC20withdrawBuffer function resolves the issue of failed withdrawal completions.
Lines of code
Vulnerability details
C4 issue
H-07: DOS of
completeQueuedWithdrawal
when ERC20 buffer is filledLink to issue
Comments
The
completeQueuedWithdrawal()
function in theOperatorDelegator
contract finalizes queued withdrawals and fills the ERC20 withdrawal buffer if needed by calling thefillERC20withdrawBuffer
function in thedepositQueue
contract. However, thefillERC20withdrawBuffer
function is restricted to theRestakeManager
contract due to theonlyRestakeManager
modifier. Consequently, whencompleteQueuedWithdrawal
attempts to call this function, it reverts, preventing the retrieval of funds.Mitigation
PR: Pull Request 87 - H07FIX
The fix removes the
onlyRestakeManager
modifier from thefillERC20withdrawBuffer
function, allowing theOperatorDelegator
contract to call it without restriction.Conclusion
Removing the
onlyRestakeManager
modifier from thefillERC20withdrawBuffer
function resolves the issue of failed withdrawal completions.