Malicious users can front-run `withdrawMultiple` transaction to make it revert
Summary
A malicious user can front-run withdrawMultiple transaction by calling withdraw function with one of streams from the withdrawMultiple function parameter and make the transaction revert.
Vulnerability Details
withdrawMultiple function inputs an array of stream ids and an array of amounts to withdraw per stream, and then it iterates through the array and calls withdraw with specific stream id and the amount.
However in withdraw function, if amount is zero or it's smaller than the maximum withdrawable amount, it reverts.
A revert in one of withdraw calls make the withdrawMultiple function revert as a whole.
Abusing this vulnerability, a malicious attacker can front-run withdrawMultiple transactions by calling either withdraw or withdrawMax with one of stream ids from withdrawMultiple.
Impact
withdrawMultiple function could not work as expected.
Tools Used
Manual Review
Recommendations
There might be several mitigations based on the protocol team's decision, here's some recommendations:
In
withdrawfunction, it does not revert when the amount is smaller than withdrawable amount, but just replace it with withdrawable amount and proceed withdrawal.withdrawMultiple function could use try/catch so that it does not revert when one of withdrawals fails.
Lead Judging Commences
Info/Gas/Invalid as per Docs
https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
WithdrawMultiple can be DOS'ed by a random user
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.