Liquid Staking

Summary

The withdrawalBatches array increases its size in WithdrawalPool::_finalizeWithdrawals function and this leads to denial of service.

Vulnerability Details

When a withdraw is finalized in WithdrawalPool::_finalizeWithdrawals a new batchId is appended to the withdrawalBatches array. In that way the withdrawalBatches array can become very large. Also, there is no way to remove elements from this array, it increases only. This problem leads to denial of service in functions WithdrawalPool::getBatchIds and WithdrawalPool::getFinalizedWithdrawalIdsByOwner.
This issue is reported in Cyfrin - LINK Staking Withdrawals audit (7.3.1) and the proposed solution is to find a cut-off batch id and all batches up to and including this cutoff batch id can be safely ignored.
The protocol team has implemented WithdrawalPool::updateWithdrawalBatchIdCutoff function that updates the variable withdrawalIdCutoff and this variable is correctly used then in getBatchIds function.
The problem is that the function WithdrawalPool::updateWithdrawalBatchIdCutoff is not explicitly called in some of the functions in the contract. Therefore, if this function is never called the value of the withdrawalIdCutoff will be zero and the function will be useless.

Impact

The implemented fix is not sufficient to solve the problem and the possibility of denial of service in the WithdrawalPool::getBatchIds and WithdrawalPool::getFinalizedWithdrawalIdsByOwner functions still persist.

Tools Used

Manual Review

Recommendations

Call the function WithdrawalPool::updateWithdrawalBatchIdCutoff after the withdraw is finalized to update the withdraw batch id.