Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Wrong withdrawal batch ID cutoff update

rhaydden

Summary

updateWithdrawalBatchIdCutoff:::WithdrawalPool allows the withdrawalBatchIdCutoff to be set one batch earlier than intended.

Vulnerability Details

In the updateWithdrawalBatchIdCutoff function, the loop that updates the newWithdrawalBatchIdCutoff:

for (uint256 i = newWithdrawalBatchIdCutoff; i < numBatches; ++i) {
if (withdrawalBatches[i].indexOfLastWithdrawal >= newWithdrawalIdCutoff) {
break;
}
newWithdrawalBatchIdCutoff = i;
}

The issue heres that newWithdrawalBatchIdCutoff is set to i instead of i + 1. This causes the cutoff to be set to the batch just before the last batch where all withdrawals have no funds remaining rather than the intended last batch.

-- assume there are 5 withdrawal batches (indexed 0 to 4).
-- Batches 0, 1, and 2 have all withdrawals fully processed (no funds remaining).
-- Batch 3 is the first batch with remaining funds.
-- the correct newWithdrawalBatchIdCutoff should be 3.
-- but due to ths bug, it will be set to 2.

Impact

This results in the withdrawalBatchIdCutoff being set one batch earlier than intended.

Tools Used

Manual review

Recommendations

Update updateWithdrawalBatchIdCutoff to correctly set the newWithdrawalBatchIdCutoff:

for (uint256 i = newWithdrawalBatchIdCutoff; i < numBatches; ++i) {
if (withdrawalBatches[i].indexOfLastWithdrawal >= newWithdrawalIdCutoff) {
break;
}
- newWithdrawalBatchIdCutoff = i;
+ newWithdrawalBatchIdCutoff = i + 1;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

newWithdrawalBatchIdCutoff

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.