No withdrawal Fee or Cool down period which can leads to exploit
Summary
The function allows free withdrawals, enabling flash loan abuse, and liquidity manipulation
And no cooldown period between withdraw and deposit
Vulnerability Details
Attackers can frequently deposit and withdraw to:
Drain the protocol reserves through liquidity fluctuations.
Exploit liquidity rebalancing mechanisms if
_rebalanceLiquidity() sells/buy assets dynamically.
Scenario:
Attacker deposit large amount -> triggers _rebalanceLiquidity() to adjust reserves.
Attacker immediately withdraws -> another rebalances happens.
Repeat the process multiple times forcing continuous buy/sell actions by protocol
If_rebalanceLiquidity()involves external AMM swaps (e.g Curve, uniswap), the attacker profits from price slippage while the protocol bears the cost.
Impact
The protocol losses money due to constant liquidity rebalancing fees
Whales can exploit free withdrawals, reducing available liquidity for real users
Tools Used
Manual Review
Recommendations
Charge a small fee to Disincentivize frequent withdrawals
And if possible lock period between deposit and withdrawals
If possible the same can be done to `borrow` function where users borrow cause of price fluctuations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.