Summary

The function FundFlowController::updateVaultGroups has to "periodically unbonds vaults in the Chainlink staking contract to ensure there are always funds available to withdraw". This assumption does not exist in the codebase, as no automation mechanism to enforce the function to be called regularly is implemented.

Vulnerability Details

The function FundFlowController::updateVaultGroups plays an important part in the protocol as it unbonds vaults from the Chainlink contract, allowing stakers to withdraw their funds.

While the protocol documentation states that funds should always be available to withdraw, updateVaultGroups is marked as external and isn't called anywhere else in the codebase, relying on it being called by third-parties at the correct times.

As updateVaultGroups will only revert if insufficient time has passed (based on block.timestamp), the function could easily be automated using Chainlink's performUpkeep functionality, which is already implemented in other parts of the protocol.

Automating the function would ensure that the unbonding of vaults is factually called periodically, maintaining the invariant that at least one vault group remains unbonded at all time.

Impact

If updateVaultGroups is not called in a timely manner, vaults will remain bonded, leading to a situation where stakers are unable to withdraw their funds. This could result in a significant user experience issue, a loss of trust in the protocol, and potential financial loss for stakers, especially during times of high withdrawal demand.

Tools Used

Manual review.

Recommendations

Implement Chainlink's performUpkeep functionality to call this function periodically. This will ensure that vaults are unbonded as required, allowing users to withdraw funds at any time.