AlexCzm - Users can farm points and withdraw their assets before bridging period starts, leaving protocol with no liquidity to bridge

[sherlock-admin3]

AlexCzm

medium

Users can farm points and withdraw their assets before bridging period starts, leaving protocol with no liquidity to bridge

Summary

Protocol's timeline farming can be split into 3 segments:

• a period when farming is open and users can deposit (+withdraw) and farm points
• a period when only withdrawals are allowed
• after withdrawal period, bridging is opened. Users can deposit and farm points. Right before withdraw period ends, they can withdraw all their funds to avoid having liquidity locked for longer period of time. Since the bridging is allowed only after withdrawal period ends, protocol can end up in the situation having no assets to bridge.

Vulnerability Detail

Users can deposit assets to farm points as long as farming is not ended

    function _deposit(uint256 _pid, uint256 _depositAmount, uint256 _boostAmount) internal {
@>        if (isFarmingEnded()) {
            revert FarmingIsEnded();
        }
...

Last block when withdrawal is enabled is higher or same to endBlock block:

    function setEndBlock(uint256 _endBlock, uint256 _withdrawalBlocks) public onlyOwner {
        uint256 _endBlockForWithdrawals;
        if (_endBlock != 0) {
            if (_endBlock <= startBlock || getBlockNumber() > _endBlock) {
                revert InvalidEndBlock();
            }
            if (isFarmingEnded()) {
                revert FarmingIsEnded();
            }
@>           _endBlockForWithdrawals = _endBlock + _withdrawalBlocks; // withdrawalsEndBlock >= endBlock
        } else {
            // withdrawal blocks needs an endBlock
            _endBlockForWithdrawals = 0;
        }
        massUpdatePools();
        endBlock = _endBlock;
        endBlockForWithdrawals = _endBlockForWithdrawals;
    }

Bridging can be executed only after farming and withdrawal period ended. Otherwise bridgePool will revert:

    function bridgePool(uint256 _pid) external {
        if (!isFarmingEnded() || !isWithdrawPeriodEnded() || isBridged[_pid]) {
            revert Unauthorized();
        }
...

Users can profit and deposit assets while the farming timeframe is open. Then they can withdraw all their assets right before endBlockForWithdrawals block. By doing so they gained exposure to point rewards and avoid having their funds locked on L2. Protocol will have to reward users based on their accumulated points but they will risk having no or little liquidity to bridge to their L2.

Impact

• protocol TVL on L2 can be 0 or way smaller than value locked to farm points.

Code Snippet

Tool used

Manual Review

Recommendation

Incentivize users to keep funds locked even after bridging is enabled. Consider applying a multiplier factor to users with funds bridged to L2.

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

invalid because that's the intended design. Admin might probably need to free up withdrawal period for users if bridging isn't desired