Liquidity Management

Summary

The withdraw function in the PerpetualVault contract has a flaw in its lock time check logic. Specifically, it prevents users from withdrawing funds exactly at the moment the lock time expires, forcing them to wait an additional block. This behavior is unintended and negatively impacts user experience.

Vulnerability Details

• Location: The issue is in the withdraw function of the PerpetualVault contract.

• Root Cause: The lock time check uses depositInfo[depositId].timestamp + lockTime >= block.timestamp. This condition incorrectly blocks withdrawals exactly at the lock time expiration because the >= operator includes the exact moment.

• Expected Behavior: Users should be able to withdraw funds at or after the lock time expires.

• Current Behavior: Users must wait one additional block after the lock time expires to withdraw funds.

Impact

• User Experience: Users are unable to withdraw funds at the exact moment the lock time expires, which can lead to frustration and confusion.

• Financial Impact: Delayed withdrawals could result in missed opportunities, such as taking advantage of favorable market conditions or reinvesting funds.

• Severity: Medium (functional issue affecting user experience and fairness).

Tools Used

• Foundry: Used to write and run the test case to verify the vulnerability.

• Manual Review: Identified the issue during a code review of the withdraw function.

Recommendations

To fix this issue, update the lock time check in the withdraw function to use > instead of >=. This ensures that withdrawals are allowed at or after the lock time expiration.