Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The first iteration in `_finalizeWithdrawals` can cause an underflow

yaioxy

Summary

The WithdrawalPool contract contains a potential underflow vulnerability in the _finalizeWithdrawals function. Specifically, when indexOfNextWithdrawal is 0 and sharesRemaining > sharesToWithdraw, the contract attempts to push a WithdrawalBatch with a negative index, causing a revert due to underflow.

Vulnerability Details

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/priorityPool/WithdrawalPool.sol#L448

In the first iteration of _finalizeWithdrawals function, indexOfNextWithdrawal is 0, and if in this loop we got sharesRemaining > sharesToWithdraw, a new withdrawalBatches will be pushed. But with indexOfLastWithdrawal = i-1 :

withdrawalBatches.push(
WithdrawalBatch(uint128(i - 1), uint128(_getStakeByShares(1 ether)))
);

And since i here is equal to 0, the function will revert due to underflow.

Impact

The first iteration in _finalizeWithdrawals will revert if sharesRemaining > sharesToWithdraw.

Tools Used

Manual Review

Recommendations

I do not have a suitable recommendation for this issue.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!