Liquid Staking

Summary

Potential Out-of-Gas attack vulnerability due to the queueWithdrawal function allowing the queuedWithdrawals array to grow indefinitely.

Vulnerability Details

The queueWithdrawal function allows users to continuously add withdrawal requests, thereby increasing the length of the queuedWithdrawals array. This may cause excessive gas consumption when the updateWithdrawalBatchIdCutoff and _finalizeWithdrawals functions try to traverse the array, causing the transaction to run out of gas.Malicious users can transfer tokens to PriorityPool.sol by calling StakingPool.sol::transferAndCall(), transferring a small number of tokens each time, but frequently, which will trigger the onTokenTransfer() callback function of PriorityPool.sol, thereby calling WithdrawalPool.sol::queueWithdrawal(), thereby continuously adding to the queuedWithdrawals array.

Impact

An attacker could exploit this behavior to disrupt contract operations, rendering critical functions such as withdrawal and batch updates unusable by consuming all available gas, leading to denial of service.

Tools Used

Manual code analysis.

Recommendations

1、Limit queue length: Limit the maximum number of withdrawal requests allowed for each user in the queue to prevent unlimited growth. For example, you can set a maximum length limit, and when the limit is reached, new withdrawal requests will be rejected.
2、Implement a cooldown period: Set a cooldown period for each user's withdrawal request to limit the frequent calls to the queueWithdrawal function. This can reduce the number of requests in a short period of time, thereby mitigating potential attack risks.