search

sherlock-audit / 2024-08-saffron-finance-judging

9 stars 5 forks source link

FadoBagi - FadoBagi - Funds Can Become Stuck Due to Lido Withdrawal Minimums #104

Open sherlock-admin4 opened 2 months ago

sherlock-admin4 commented 2 months ago

FadoBagi

High

FadoBagi - Funds Can Become Stuck Due to Lido Withdrawal Minimums

FadoBagi

High

Funds Can Become Stuck Due to Lido Withdrawal Minimums

Summary

The LidoVault contract enforces a minimum withdrawal amount of 100 stETH through the MIN_STETH_WITHDRAWAL_AMOUNT constant in the _requestWithdraw function. If the contract's total stETH balance falls below 100 stETH, users are unable to initiate withdrawal requests. Additionally, the contract lacks alternative withdrawal mechanisms, which may result in users' funds becoming permanently locked when the stETH balance is insufficient.

Vulnerability Detail

In the _requestWithdraw function, the contract checks if the stETHAmount is greater than or equal to MIN_STETH_WITHDRAWAL_AMOUNT:

        function _requestWithdraw(address user, uint256 stETHAmount) internal  
    returns (uint256[] memory) {
        // ...
        require(stETHAmount >= MIN_STETH_WITHDRAWAL_AMOUNT, "WM");
        // ...
    }

This means if the contract's total stETH balance drops below 100 stETH, the condition will fail, and users will be unable to request withdrawals.

Impact

If the contract's stETH balance falls below 100 stETH, users will be unable to withdraw their funds, potentially leaving them permanently locked without any alternative withdrawal options.

Code Snippet

Tools Used

Manual Review

Recommendation

Implement a fallback mechanism allowing users to withdraw their proportional share of stETH directly when the contract's balance falls below 100 stETH. Alternatively, accumulate smaller withdrawal requests until they meet the minimum threshold for a Lido withdrawal.