Per-user withdraw limit not handled correctly #149
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-116
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/WithdrawHook.sol#L53-L79
Vulnerability details
Impact
WithdrawHook.sol
implements a per-user withdraw limit that resets over time. But the contract logic only resets the user limit for the first user to withdraw after theuserPeriodLength
, all the other users before the nextlastUserPeriodReset
will keep their respective limits unchanged.When
userPeriodLength
interval has passed, the next user call to withdraw (considerglobalWithdrawLimitPerPeriod
has not been reached) will go into the first branch of the if-else-statement (See code below), setlastUserPeriodReset
toblock.timestamp
and reset this user limits. Further withdraws before the nextlastUserPeriodReset
will go into the second branch of the if-else-statement, which adds to the users' limits without reseting them. Therefore all users with the exception of the first will still have outdated limits even though their limits should have been reset.Over time this can lead to many users reaching max limit and being unable to withdraw until they are the first one to withdraw after
userPeriodLength
has passed. A malicious actor could also keep frontrunning those first calls to withdraw, effectively blocking any user to reset their limit.https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/WithdrawHook.sol#L66-L72
Proof of Concept
Steps to reproduce.
userPeriodLength
has passedhttps://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/test/WithdrawHook.test.ts
TEST_GLOBAL_WITHDRAW_LIMIT
had to be changed to allow two users maxing out their limits.The text was updated successfully, but these errors were encountered: