Users can't withdraw their deposits from `LiquidityPool`

[hats-bug-reporter[bot]]

Github username: -- Submission hash (on-chain): 0x957746d44ea354bc488287fb74e7ad667a71a205f08c522eec23eb90f9d4ec93 Severity: high

Description: Description

• LiquidityPool contract depends on users depositing their ethers and getting eETH share tokens as a source of liquidity/funds.

• When a user deposits in the LP; he will be minted eETH shares proportional to the totalSupply of the shares tokens (eETH.totalShares()) and the available ether balance of the pool (totalPooledEther).

• As per the current implementation of the LiquidityPool.withdraw function: this function can be called only either by the MembershipManager contract or the WithdrawRequestNFT contract:

    function withdraw(address _recipient, uint256 _amount) external whenNotPaused returns (uint256) {
          //...some code
          require(msg.sender == address(withdrawRequestNFT) || msg.sender == address(membershipManager), "Incorrect Caller");
          //...some code
    }

• So if any user wants to withdraw his deposit from the liquidity pool, he must initiate the call from either of the two contracts; otherwis the withdraw function will revert with "Incorrect Caller" error message.

Attack Scenario

• But it was noticed that MembershipManager and WithdrawRequestNFT contracts don't implement LiquidityPool.withdraw function for deposits withdrawal (only for fee withdrawal when unwrapping eETH) ; so there's no way for the user to withdraw his deposit.

Attachments

Revised Code File LiquidityPool.withdraw function

   function withdraw(address _recipient, uint256 _amount) external whenNotPaused returns (uint256) {
       uint256 share = sharesForWithdrawalAmount(_amount);
-       require(msg.sender == address(withdrawRequestNFT) || msg.sender == address(membershipManager), "Incorrect Caller");
       if (totalValueInLp < _amount || (msg.sender == address(withdrawRequestNFT) && -ethAmountLockedForWithdrawal < _amount) || eETH.balanceOf(msg.sender) < _amount) revert InsufficientLiquidity();

       if (_amount > type(uint128).max || _amount == 0 || share == 0) revert InvalidAmount();

       totalValueInLp -= uint128(_amount);
       if (msg.sender == address(withdrawRequestNFT)) {
           ethAmountLockedForWithdrawal -= uint128(_amount);
       }

       eETH.burnShares(msg.sender, share);

       (bool sent, ) = _recipient.call{value: _amount}("");
       if (!sent) revert SendFail();

       return share;
   }

[seongyun-ko]

Withdrawal is made via requestWithdraw functions. WithdrawRequestNFT is involved. Plz check those code

[seongyun-ko]

close