Temporary DOS locks users' funds in `PriorityPool` due to the withdrawal logic
Summary
The withdrawal function allows users to choose whether to unqueue tokens during withdrawal. This design, combined with the contract's ability to be paused, could lead to a scenario where users' queued tokens become temporarily inaccessible.
Vulnerability Details
In the withdraw function, the _shouldUnqueue parameter determines whether queued tokens should be withdrawn. If set to false, the function skips the unqueueing process entirely, even if the user has queued tokens. This can result in a case where--
A user with both queued tokens and LSTs withdraws only LSTs (
_shouldUnqueue = false).The contract is paused before the user can unqueue their tokens in a separate transaction.
The user's queued tokens become inaccessible until the contract is unpaused.
Impact
Users get DOSed of their queued tokens if the contract is paused after they've withdrawn LSTs but before they've had a chance to unqueue their tokens.
Tools Used
Manual
Recommendations
Consider implementing a mechanism that allows users to unqueue their tokens even when the contract is paused. Maybe by adding a separate unqueue function that remains operational during paused states, or by tweaking the pause functionality to only restrict new deposits and withdrawals while still allowing unqueueing of existing tokens.
Or, implementing a time-lock on the pause functionality could give users a window to unqueue their tokens before the pause takes effect.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.