SPYBOY - Depositer funds can Stuck in contract .

[github-actions[bot]]

SPYBOY

high

Depositer funds can Stuck in contract .

Summary

In ProtectionPool.sol there is a function _requestWithdrawal() which requests the withdrawal amount. according to that function after requesting withdrawal user can withdraw after n+2 cycles (n = cycle while requesting). But according to the function withdraw() if that withdrawal cycle passes user can't withdraw his deposit. Because it checks whether the current cycle contains an entry to withdraw. if withdrawal cycle passes user can't withdraw funds

POC: 1) bob deposited his token using the function deposit(). 2) now bob requests withdraw amounts using the function _requestWithdrawal(). at cycle = 1 . now bob can withdraw his deposit within or after cycle = 3 (according to the rule). 3) for some reason bob is not able to withdraw his amount in cycle 3. he lets cycle 3 pass by and then bob will try to withdraw in cycle 4 but he will not be able to withdraw because his entry is not there in cycle 4.

Related bug on immunefi: https://zzykxx.com/2023/02/02/the-bug-that-codearena-missed-,-twice/?s=08

Vulnerability Detail

Impact

User funds will be stuck in a contract for more time. if the leverage ratio increases there is more chance that he may suffer from loss.

Code Snippet

_requestWithdrawal() : https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L208-L214 withdraw(): https://github.com/sherlock-audit/2023-02-carapace/blob/main/contracts/core/pool/ProtectionPool.sol#L226-L275

Tool used

Manual Review

Recommendation

Create a mechanism to withdraw. if the cycle passes.

[clems4ev3r]

Funds are not stuck/lost, the user can still request withdrawal on another cycle

[vnadoda]

@clems4ev3r You are right. This behavior is by design. Investors/sellers have to withdraw during the open period of the withdrawal cycle or create a new request.