Any queued withdrawal from EtherFi adapter cannot be claimed
Summary
Due to incorrect validation on _requestId, the EETHAdapter claimWithdrawal() function always reverts. As a consequences, any queued withdrawal cannot be completed further.
Vulnerability Detail
EETHAdapter.claimWithdrawal() checks whether the _requestId is finalized by the admin of the EtherFi.WithdrawRequestNFT contract or not. If not, reverts the claimWithdrawal() call which obviously makes sense.
However, if the _requestId is finalized by the EtherFi admin, the lastFinalizedRequestId is set to the _requestId, also means any requestId <= lastFinalziedRequestId can claimWithdrawal(). The issue is that the Napier EETHAdapter reverses this check, causing every finalized request from EtherFi to be treated as under inspection or not claimable yet. Therefore, it reverts.
// If _requstId is finalized on etherfi, it's reverted.
if (_requestId < ETHERFI_WITHDRAW_NFT.lastFinalizedRequestId()) revert RequestInQueue();
Impact
The WithdrawRequestNFT.claimWithdraw() method only allows the owner of the requestId to claim the amount, which, in this case, is the Napier EtherFi adapter. Since, the adapter claim function always reverts above, funds stuck forever into the EtherFi LiquidityPool ,
// If _requstId is finalized on etherfi, it's reverted.
- if (_requestId < ETHERFI_WITHDRAW_NFT.lastFinalizedRequestId()) revert RequestInQueue();
+ if (_requestId > ETHERFI_WITHDRAW_NFT.lastFinalizedRequestId()) revert RequestInQueue();
blutorque
high
Any queued withdrawal from EtherFi adapter cannot be claimed
Summary
Due to incorrect validation on
_requestId, the EETHAdapterclaimWithdrawal()function always reverts. As a consequences, any queued withdrawal cannot be completed further.Vulnerability Detail
EETHAdapter.claimWithdrawal()checks whether the_requestIdis finalized by the admin of theEtherFi.WithdrawRequestNFTcontract or not. If not, reverts theclaimWithdrawal()call which obviously makes sense.However, if the
_requestIdis finalized by the EtherFi admin, the lastFinalizedRequestId is set to the_requestId, also means any requestId<= lastFinalziedRequestIdcan claimWithdrawal(). The issue is that the NapierEETHAdapterreverses this check, causing every finalized request from EtherFi to be treated as under inspection or not claimable yet. Therefore, it reverts.https://github.com/sherlock-audit/2024-05-napier-update/blob/c31af59c6399182fd04b40530d79d98632d2bfa7/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L63
Impact
The WithdrawRequestNFT.claimWithdraw() method only allows the owner of the requestId to claim the amount, which, in this case, is the Napier EtherFi adapter. Since, the adapter claim function always reverts above, funds stuck forever into the EtherFi
LiquidityPool,Code Snippet
https://github.com/sherlock-audit/2024-05-napier-update/blob/c31af59c6399182fd04b40530d79d98632d2bfa7/napier-v1/src/adapters/etherfi/EETHAdapter.sol#L56
Tool used
Manual Review
Recommendation
Duplicate of #55