Leaving unclaimed tokens in the WithdrawalPool will eventually lead to a DOS in the getFinalizedWithdrawalIdsByOwner function.
Summary
The getFinalizedWithdrawalIdsByOwner function calls getBatchIds, which iterates over the withdrawalBatches. The protocol uses withdrawalBatchIdCutoff to minimize the number of iterations. However, this approach may fail if someone, either intentionally or due to oversight, doesn't claim their tokens from the withdrawal pool.
Vulnerability Details
The updateWithdrawalBatchIdCutoff function allows updating the withdrawalBatchIdCutoff, but this will only happen if all withdrawals from a batch have been collected. If someone fails to withdraw their tokens, whether intentionally or unintentionally, the cutoff won't be updated.
Impact
This function is used only within view functions. However, even off-chain processing might fail if there are too many batches.
It's also worth mentioning that the creation of new batches is not restricted by minTimeBetweenWithdrawals, as new batches can be created when there are items in the withdrawal queue and a user makes a deposit to the staking pool.
Tools Used
Manula Review
Recommendations
It's not that easy to fix, but in can be fixed by paging batches. getFinalizedWithdrawalIdsByOwner might be accepting page number for batches as a parameter.
Lead Judging Commences
M-1 Cyfrin not properly fixed - if someone forgets to withdraw the withdrawalBatches array is still ever increasing
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.