malicious user can create many withdrawing request and this can have overload for the keeper
Summary
when users want to withdraw their tokens they have to create withdraw request and after that, the keeper executes their request but there is a problem here, the createWithdrawRequest function doesn't check whether the user has sufficient balance or not or user has a related account or not and this means every user even those user that doesn't have account can create withdraw request and this has cost for the keeper
Vulnerability Detail
createWithdrawRequest function just validates the amount and token but after that it creates a request
Impact
malicious user can create many withdrawing request and this can have overload for the keeper
It is better the protocol does some simple validation before creating withdraw Request for example check the user balance or not allow to create more than one withdraw Request for a token
pashap9990
Medium
malicious user can create many withdrawing request and this can have overload for the keeper
Summary
when users want to withdraw their tokens they have to create withdraw request and after that, the keeper executes their request but there is a problem here, the createWithdrawRequest function doesn't check whether the user has sufficient balance or not or user has a related account or not and this means every user even those user that doesn't have account can create withdraw request and this has cost for the keeper
Vulnerability Detail
createWithdrawRequest function just validates the amount and token but after that it creates a request
Impact
malicious user can create many withdrawing request and this can have overload for the keeper
Code Snippet
https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/facets/AccountFacet.sol#L41 https://github.com/sherlock-audit/2024-05-elfi-protocol/blob/main/elfi-perp-contracts/contracts/process/AssetsProcess.sol#L157
Tool used
Manual Review
Recommendation
It is better the protocol does some simple validation before creating withdraw Request for example check the user balance or not allow to create more than one withdraw Request for a token
Duplicate of #96