Potential Insolvency Risk and Underflow in _finalizeWithdrawImpl Function Due to Lack of Balance Validation

Summary

The _finalizeWithdrawImpl() is responsible for finalizing a withdrawal request. There is a potential security issue where the function does not check if the contract's balance has increased after calling the WithdrawRequestNFT.claimWithdraw function. This oversight could lead to underflow issues and potentially cause the contract to become insolvent, affecting the withdrawal process and the users' funds.

Vulnerability Detail

The function currently does not validate that the contract's balance has increased after attempting to finalize a withdrawal request. This lack of validation means that if the withdrawal process fails to transfer funds to the contract, it could lead to an incorrect assumption that the withdrawal was successful. Consequently, the contract might operate under the false premise of having more funds than it actually does, leading to underflow issues and potential insolvency.

Impact

Without verifying that the contract's balance has increased after the withdrawal, the protocol may become insolvent. This could result in users being unable to withdraw their funds, causing potential financial losses and trust issues in the protocol. Additionally, the calculation address(this).balance - balanceBefore could underflow if the balance does not increase as expected.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/staking/protocols/EtherFi.sol#L43-L48

Tool used

Manual Review

Recommendation

Implement a check to ensure that the contract's balance has increased after calling WithdrawRequestNFT.claimWithdraw. This can be done by adding a conditional check to prevent underflow and ensure the contract is solvent. For example:

sherlock-audit / 2024-06-leveraged-vaults-judging

0xrobsol - Potential Insolvency Risk and Underflow in _finalizeWithdrawImpl Function Due to Lack of Balance Validation #119