bareli - No withdraw delay or cooldown period,

[sherlock-admin]

bareli

medium

No withdraw delay or cooldown period,

Summary

    The contract does not implement a withdrawal delay or cooldown period, which could be a design choice but might also expose the system to liquidity risks if many users decide to withdraw simultaneously.

Vulnerability Detail

function requestWithdrawal() external virtual nonReentrant onlyRebalancer { if (requestId != 0) revert WithdrawalPending();

    uint256 targetBufferEth = (totalAssets() * targetBufferPercentage) / BUFFER_PERCENTAGE_PRECISION;

    // If the buffer exceeds the target buffer, revert.
    // If the buffer is insufficient, request a withdrawal to refill the buffer.
    // note: use `>=` instead of `>` to prevent amount of ETH to withdraw to be 0
    // note: At this point, `withdrawalQueueEth` is 0 because there is no pending withdrawal request.
    // `nonStakedEth` = `bufferEth` + 0 = `bufferEth`
    uint256 bufferEthCache = bufferEth;
    if (bufferEthCache >= targetBufferEth) revert BufferTooLarge();

    unchecked {
        // Ensure that `withdrawAmount` is non-zero and withdrawalQueueEth is zero.
        uint256 withdrawAmount = targetBufferEth - bufferEthCache; // no underflow

        /// WRITE & INTERACT ///
        // Record the pending withdrawal request
        // Request a withdrawal

@> (uint256 queueAmount, uint256 _requestId) = _requestWithdrawal(withdrawAmount); withdrawalQueueEth = queueAmount.toUint128(); requestId = _requestId; } }

Impact

the system to liquidity risks if many users decide to withdraw simultaneously.

Code Snippet

https://github.com/sherlock-audit/2024-01-napier/blob/main/napier-v1/src/adapters/BaseLSTAdapter.sol#L179

Tool used

Manual Review

Recommendation

implement withdrawal delay or cooldown period

[sherlock-admin]

1 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

This is desing decision