0xrobsol - Incomplete Handling of Liquidation Events in _finalizeWithdrawsManual

[sherlock-admin4]

0xrobsol

High

Incomplete Handling of Liquidation Events in _finalizeWithdrawsManual

Summary

The _finalizeWithdrawsManual function manages the finalization of withdraw requests for a specific account within a vault. However, it fails to consistently handle cases where the account's withdraw request has been split or remains unfinalized, potentially resulting in unintended consequences during liquidation events.

Vulnerability Detail

The function _finalizeWithdrawsManual is designed to execute finalization logic for withdraw requests associated with a given account.

• The function only stores the split withdraw request details if !accountWithdraw.hasSplit and finalized are both true.
• This check ensures that the split withdraw request is only recorded if the withdraw request has not been split previously (!accountWithdraw.hasSplit) and if the finalization process was successful (finalized).

Impact

• If the withdraw request has already been split (accountWithdraw.hasSplit == true), or if the finalization process was unsuccessful (finalized == false), the split withdraw request details will not be updated.
• This omission means that in scenarios where an account is liquidated after initiating a withdraw request but before it is finalized, the account may not receive their full share of tokens because the split withdraw request was not properly recorded.

Code Snippet

https://github.com/sherlock-audit/2024-06-leveraged-vaults/blob/main/leveraged-vaults-private/contracts/vaults/common/WithdrawRequestBase.sol#L189-L194

Tool used

Manual Review

Recommendation

• Implement logic to ensure that regardless of whether the withdraw request has been split (accountWithdraw.hasSplit), or if the finalization was successful (finalized), the split withdraw request details are updated accordingly.
• Ensure that the function accurately reflects the account's share of tokens even in scenarios involving liquidation or other unexpected events.

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Low/QA at most