Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

no check to ensure that `_withdrawalIds[i]` corresponds to a valid withdrawal in `queuedWithdrawals` in WithdrawalPool.sol contract

obare

Summary

In WithdrawalPool.sol:getWithdrawals() the function lacks a check to ensure that the withdrawal IDs provided in _withdrawalIds[] are valid. This could lead to erroneous or unsafe data being returned to the caller, potentially causing incorrect behavior in the broader system that relies on this function's output.

Vulnerability Details

The function does not validate whether the withdrawal IDs in the _withdrawalIds array correspond to existing withdrawals in the queuedWithdrawals mapping. If an invalid ID is provided, the function will still return a zero-initialized Withdrawal struct, which could be mistaken for legitimate data.
https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/priorityPool/WithdrawalPool.sol#L135-L145

function getWithdrawals(

uint256[] calldata _withdrawalIds

) external view returns (Withdrawal[] memory) {

Withdrawal[] memory withdrawals = new Withdrawal[]();

for (uint256 i = 0; i < _withdrawalIds.length; ++i) {

withdrawals[i] = queuedWithdrawals[_withdrawalIds[i]];

}

return withdrawals;

}

POC

// Assume queuedWithdrawals is a mapping from uint256 to Withdrawal structs

Withdrawal[] memory invalidWithdrawals = getWithdrawals([9999]); // Assuming 9999 is an invalid ID

assert(invalidWithdrawals[0].amount == 0); // Zero-initialized struct returned for invalid ID

In this example, calling getWithdrawals([9999]) will return a Withdrawal struct with default values (0 for uint256 types), which may cause downstream issues when the function is expected to return only valid data.

Impact

Users could receive incorrect or incomplete data if they request invalid withdrawal IDs. This could result in faulty business logic or incorrect display of withdrawal data on frontends.

Tools Used

manual review

Recommendations

Ensure that each _withdrawalId provided corresponds to a valid withdrawal in the queuedWithdrawals mapping. Add this check to the code :

require(queuedWithdrawals[_withdrawalIds[i]].amount != 0, "Invalid withdrawal ID");

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.