SyncCode2017 - Transactions calling `LidoVault::finalizeVaultOngoingFixedWithdrawals` will fail if one of the requests for withdrawals to Lido reverts causing funds being stuck (DoS). #166
Transactions calling LidoVault::finalizeVaultOngoingFixedWithdrawals will fail if one of the requests for withdrawals to Lido reverts causing funds being stuck (DoS).
Summary
When a user calls LidoVault::finalizeVaultOngoingFixedWithdrawals all the queued requests are sent individually in a loop to Lido. So a long loop of requests is expected to be processed in this one transaction as shown below.
SyncCode2017
Medium
Transactions calling
LidoVault::finalizeVaultOngoingFixedWithdrawalswill fail if one of the requests for withdrawals to Lido reverts causing funds being stuck (DoS).Summary
When a user calls
LidoVault::finalizeVaultOngoingFixedWithdrawalsall the queued requests are sent individually in a loop to Lido. So a long loop of requests is expected to be processed in this one transaction as shown below.https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L1174
If one of the requests reverts the transaction fails. Causing funds to be stuck in the protocol.
Root Cause
Using a user's transaction to send all the queued requests for withdrawal to Lido.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
All users with queued requests for withdrawal from an ongoing vault will have their funds stuck.
PoC
No response
Mitigation
Refactor
LidoVault::_claimWithdrawalsto send only msg.sender request or use try-and-catch block to send transactions to Lido.