Having exactly 0 steth when withdrawing via will DoS variable users withdrawing
Summary
When the vault has ended, LidoVault::withdraw() calls LidoVault::vaultEndedWithdraw(), which checkpoints the stakes and eth balance. If they are 0 and the user is withdrawing a variable deposit, it will underflow in the totalEarnings calculation when subtracting the totalProtocolFee. As users do not get their withdraw right away, they can not allocate it and lose yield because of this, showing its time sensitiveness
Root Cause
In LidoVault:775, there is an unhandled underflow or divison by 0.
Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
User withdraws but there are exactly 0 steth in the contract due to everyone having requested withdrawals.
Impact
DoSed withdrawals until someone sends some steth to the protocol so it does not revert. This will lead to yield loss for the variable users which goes against the explicit design of the LidoVault which calculates precisely the return variable users should get.
PoC
In LidoVault::vaultEndedWithdraw(), the total earnings are calculated as uint256 totalEarnings = vaultEndingETHBalance.mulDiv(withdrawnStakingEarningsInStakes,vaultEndingStakesAmount) - totalProtocolFee + vaultEndedStakingEarnings;, which underflows if withdrawnStakingEarningsInStakes is null or vaultEndingStakesAmount is 0.
Mitigation
If the stakes or the balance are 0, skip collecting earnings as there are no earnings to collect: however, there may be pending feeEarnings to collect.
0x73696d616f
Medium
Having exactly 0 steth when withdrawing via will DoS variable users withdrawing
Summary
When the vault has ended, LidoVault::withdraw() calls LidoVault::vaultEndedWithdraw(), which checkpoints the stakes and eth balance. If they are 0 and the user is withdrawing a variable deposit, it will underflow in the
totalEarningscalculation when subtracting thetotalProtocolFee. As users do not get their withdraw right away, they can not allocate it and lose yield because of this, showing its time sensitivenessRoot Cause
In
LidoVault:775, there is an unhandled underflow or divison by 0.Internal pre-conditions
None.
External pre-conditions
None.
Attack Path
Impact
DoSed withdrawals until someone sends some steth to the protocol so it does not revert. This will lead to yield loss for the variable users which goes against the explicit design of the LidoVault which calculates precisely the return variable users should get.
PoC
In
LidoVault::vaultEndedWithdraw(), the total earnings are calculated asuint256 totalEarnings = vaultEndingETHBalance.mulDiv(withdrawnStakingEarningsInStakes,vaultEndingStakesAmount) - totalProtocolFee + vaultEndedStakingEarnings;, which underflows ifwithdrawnStakingEarningsInStakesis null orvaultEndingStakesAmountis 0.Mitigation
If the stakes or the balance are 0, skip collecting earnings as there are no earnings to collect: however, there may be pending
feeEarningsto collect.