Funds Loss During withdraw() Call Due to Insufficient Available Funds and Race Condition
Summary
When a user attempts to withdraw funds via tokenizedstrategy.withdraw(), the method internally calls _freeFunds() to free the necessary unexchanged assets from the transmuter. However, if insufficient funds are available at the time of the withdrawal, _freeFunds() transfers the available amount only, resulting in partial loss of funds and burning of all user shares
Vulnerability Details
1. A user queries StrategyMainnet.availableWithdrawLimit to determine the available withdrawal limit.
2. The user sends a withdraw() request, assuming the limit is sufficient.
3. Race Condition: A malicious actor or other users front-run the request and withdraw the available funds first.
4. By the time the initial user’s transaction is processed:
The available funds are insufficient.
_freeFunds()transfers only the remaining amount, if any.The user’s shares are burned regardless of the incomplete withdrawal.
5. The user ends up losing their funds entirely.
This happens everytime that multiple users simultaneously call withdraw() with amounts that collectively exceed the available unexchanged balance.
Impact
Users can lose all their funds if the available balance is insufficient during withdrawal
Tools Used
vscode
Recommendations
Try one of these:
1- If partial funds are transferred due to insufficient availability, burn shares proportional to the amount actually received.
2- in _withdraw() function, revert when there is less available assets for withdraw:
3- In the _freeFunds() function, remove the logic that caps the funds to totalAvailable and instead send the full _amount to the transmuter. If there are insufficient funds, the transaction will automatically revert.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.