Minimum and Maximum unstake amount for stETH not enforced.
Summary
Minimum and Maximum unstake amount for stETH not enforced as per Lido documentation.
Vulnerability Details
Lido documentation (https://docs.lido.fi/guides/lido-tokens-integration-guide/#unsteth) states the following:
Request size should be at least 100 wei (in stETH) and at most 1000 stETH.
Lido enforces this through an internal function that reverts transactions not complying with their min/max amounts:
The protocol doesn't conduct any min/max checks in relation to the amount unstaked. Moreover Lido states the following: Larger amounts should be withdrawn in multiple requests, which can be batched via in-protocol API.. The protocol doesn't implement a batching system to manage unstake calls > 1000 stETH.
Impact
Users won't be able to withdraw amounts < 100 wei or > 1000 stETH, their transactions failing.
Without a batching system users who want to unstake more than 1000 stETH will attempt to divide their unstake calls into multiple smaller calls, but without knowing what's the maximum limit this will waste gas and generate an unpleasant experience.
Tools Used
Manual review.
Recommendations
Copy the function used by Lido to enforce the unstake limits.
Create a modifier to apply it in the unstake function from BridgeSteth.sol.
Create a new function that takes care of the batching in case unstaked amount > maximum limit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.