Steadefi

DeFiHardhatFoundryOracle

35,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Keeper may lose assets

drynooo

Summary

Throughout the execution of processWithdrawFailure without updating self.refundee, the remaining fee for adding mobility is sent to the user who called withdraw, resulting in a loss of keeper.

Vulnerability Details

Throughout the execution of processWithdrawFailure without updating self.refundee, the remaining fee for adding mobility is sent to the user who called withdraw, resulting in a loss of keeper.
Further, the user can control the self.withdrawCache.withdrawParams.minWithdrawTokenAmt parameter, which causes the initiated withdraw request to always go to processWithdrawFailure. thus multiple times to get the rest of the In severe cases, this can drain the keeper of all its funds.

Impact

Serious cases can drain all of keeper's funds.

Tools Used

manual

Recommendations

It is recommended to correctly update self.refundee to keeper in the processWithdrawFailure function.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Keepers do not get refund for execution fee

Impact: High (loss of funds for keepers) Likelihood: High - processDepositFailure - processWithdrawFailure

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

2,289

15 USDC / LOC

High Medium

33,000 USDC

Low

2,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.