search

sherlock-audit / 2024-05-napier-update-judging

8 stars 7 forks source link

karsar - Minimum ETH Withdrawal Requirement Causes Delayed Requests #68

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

karsar

medium

Minimum ETH Withdrawal Requirement Causes Delayed Requests

Summary

Withdrawals can't happen until the contract has 100 ether, making it hard to use at first.

Vulnerability Detail

The _requestWithdrawal functionimplements a minimumwithdrawAmountof 100 ether, potentially delaying the initiation of withdrawal requests until the contract's balance reaches the specified threshold. it will make hard for users, especially those trying to withdraw smaller amounts, and may hinder the contract's initial usability.

 function _requestWithdrawal(uint256 withdrawAmount) internal override returns (uint256, uint256) {
        // The max amount for a request is 500 ether to chunk the large withdrawals into smaller ones.
        if (withdrawAmount < 100) revert WithdrawalBelowMinimum(); // here
        if (withdrawAmount > 500 ether) withdrawAmount = 500 ether;

Impact

users won't be able to withdraw their funds until the contract has 100 ether, causing inconvenience and delays.

Code Snippet

https://github.com/sherlock-audit/2024-05-napier-update/blob/main/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L111-L128

Tool used

Manual Review

Recommendation

Ensure that users can withdraw smaller amounts by adjusting the minimum withdrawal threshold to allow for more flexibility in accessing funds.

    function _requestWithdrawal(uint256 withdrawAmount) internal override returns (uint256, uint256) {
        // The max amount for a request is 500 ether to chunk the large withdrawals into smaller ones.
       --  if (withdrawAmount < 100) revert WithdrawalBelowMinimum();
        ++  if (withdrawAmount > EETH.balanceOf(address(this))) revert();
        if (withdrawAmount > 500 ether) withdrawAmount = 500 ether;

        /// INTERACT ///
        // The amount of ether that will be withdrawn is limited to
        // the number of eETH tokens transferred to this contract at the moment of request.
        // So, we will not receive the rewards for the period of time while these tokens stay in the queue.
        uint256 _requestId = LIQUIDITY_POOL.requestWithdraw(address(this), withdrawAmount); // Dev: Ensure id is not 0
        if (_requestId == 0) revert InvariantViolation(); 

        emit RequestWithdrawal(_requestId, withdrawAmount);
        return (withdrawAmount, _requestId);
    }
sherlock-admin4 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

z3s commented:

Invalid; Design decisions are not valid issues. Even if the design is suboptimal, but doesn't imply any loss of funds, these issues are considered informational.