The withdrawal fee receiver can DoS withdrawals by reverting the POOL token transfer within the onERC1155Received transfer hook.
Vulnerability Detail
Withdrawal fees are transferred to the fee receiver in the VaultInternal._withdraw function. Internally, this function calls the VaultInternal._collectWithdrawalFee function. Then within this function, the VaultInternal._transferCollateralAndShortAssets function is called.
Fees are then transferred by using Pool.safeTransferFrom. POOL itself is an ERC1155 token, hence, due to using the safeTransferFrom function, the onERC1155Received hook is called on the receiver. If the receiver is a smart contract, it is therefore possible to revert the transfer and prevent withdrawals.
Impact
The withdrawal fee receiver can prevent withdrawals.
function _transferCollateralAndShortAssets(
uint64 epoch,
uint256 collateralAmount,
uint256 shortContracts,
uint256 shortTokenId,
address receiver
) private {
if (collateralAmount > 0) {
// transfers collateral to receiver
ERC20.safeTransfer(receiver, collateralAmount);
}
if (shortContracts > 0) {
// transfers short contracts to receiver
Pool.safeTransferFrom(
address(this),
receiver,
shortTokenId,
shortContracts,
""
);
}
emit DistributionSent(
epoch,
collateralAmount,
shortContracts,
receiver
);
}
Tool Used
Manual review
Recommendation
Consider using a pull-based approach for withdrawal fees instead of immediately transferring the fees to the recipient. This would allow the withdrawal fee receiver to withdraw the fees at any time, but would not allow them to block withdrawals.
berndartmueller
medium
Withdrawal fee receiver can DoS withdrawals
Summary
The withdrawal fee receiver can DoS withdrawals by reverting the
POOL
token transfer within theonERC1155Received
transfer hook.Vulnerability Detail
Withdrawal fees are transferred to the fee
receiver
in theVaultInternal._withdraw
function. Internally, this function calls theVaultInternal._collectWithdrawalFee
function. Then within this function, theVaultInternal._transferCollateralAndShortAssets
function is called.Fees are then transferred by using
Pool.safeTransferFrom
.POOL
itself is anERC1155
token, hence, due to using thesafeTransferFrom
function, theonERC1155Received
hook is called on thereceiver
. If thereceiver
is a smart contract, it is therefore possible to revert the transfer and prevent withdrawals.Impact
The withdrawal fee receiver can prevent withdrawals.
Code Snippet
vault/VaultInternal._withdraw
vault/VaultInternal._collectWithdrawalFee
vault/VaultInternal._transferCollateralAndShortAssets
Tool Used
Manual review
Recommendation
Consider using a pull-based approach for withdrawal fees instead of immediately transferring the fees to the recipient. This would allow the withdrawal fee receiver to withdraw the fees at any time, but would not allow them to block withdrawals.