Test + docs: pin withdraw(_amountOfEEth) accounting (follow-up to #454)#455
Merged
0xpanicError merged 1 commit intoJun 2, 2026
Merged
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Follow-up to PR #454 review. The fix there (debit totalValueOutOfLp by the eETH amount credited at fulfill, not the ETH paid on claim) had no test that distinguished the two: every withdraw test passes the two amounts equal, so they pass against the buggy code too. - Add test_withdraw_debitsAmountOfEEth_notAmountPaid: pins the divergent down-rebase case (_amount < _amountOfEEth) at the LP boundary where the bug lived. Asserts the debit equals the fulfill-time credit and does not track the smaller ETH paid. - Document _amountOfEEth in the withdraw natspec: it is trusted caller-supplied state, not bounded by Guards 1-3; the checked subtraction is the only LP-local backstop, and the negative-rebase underflow threshold is _amountOfEEth (not _amount). - Fix stale comment in WithdrawEscrowE2E step4 that described the pre-fix behavior (debit by claimable). - Update the stale LiquidityPool.sol:297 _amount reference in the LpRebaseWrnClaimUnderflow finding header.
seongyun-ko
force-pushed
the
seongyun/lp-withdraw-eeth-tests
branch
from
2f7bb88 to
acc4795
Compare
0xpanicError
approved these changes
Jun 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stacked on #454. Addresses the four review findings on that PR without changing its behavior.
#454 makes
LiquidityPool.withdrawdebittotalValueOutOfLpby_amountOfEEth(the value credited at fulfill/lock) instead of_amount(the ETH actually paid on claim). That fix is correct — but it shipped without a guard that distinguishes the two, and left a few stale comments. This PR closes those gaps.Changes
1. Regression test (the main gap). Every existing
withdrawtest passes the two amounts equal (withdraw(amount, amount, ...)), so none would have failed against the pre-fix code.test_withdraw_debitsAmountOfEEth_notAmountPaidpins the divergent down-rebase case (_amount < _amountOfEEth) at the LP boundary where the bug lived: it asserts the debit equals the fulfill-time credit (_amountOfEEth) and explicitly does not track the smaller ETH paid. Runs offline (no fork).2.
_amountOfEEthnatspec. Documents that it must equal the fulfill-time credit (not_amount), how WRN and PWQ each supply it, and that — unlike_amount/_rate/_shareOfEEth— it is trusted caller-supplied state not bounded by Guards 1–3. The checked subtraction is the only LP-local backstop.3. Negative-rebase underflow note. Records that the fix shifts the documented finalized-withdrawal DoS threshold from
_amountto the (larger)_amountOfEEth, and fixes the staleLiquidityPool.sol:297/_amountreference in theLpRebaseWrnClaimUnderflowfinding header. Bounded by the rebase-APR cap in EtherFiAdmin.4. Stale comment in
WithdrawEscrowE2Estep4. The comment said totalValueOutOfLp "decrements by claimable (the actual ETH paid)" — that's the pre-fix behavior. Corrected to describe the fulfill-time-credit debit and to point at the new LP-boundary regression test for the divergent case.Verification
forge buildclean. Full withdraw suite (18 tests incl. the new one) passes offline:The
WithdrawEscrowE2Echange is comment-only (that file is a mainnet-fork test).Note
Low Risk
No production logic changes—only documentation, comments, and a unit regression test for accounting already fixed in #454.
Overview
Follow-up to #454 (no change to
LiquidityPool.withdrawbehavior): it documents and tests thattotalValueOutOfLpmust be reduced by_amountOfEEth(fulfill/lock credit), not_amount(ETH paid on claim).LiquidityPool.solnatspec clarifies_amountvs_amountOfEEth, that_amountOfEEthis trusted caller state outside Guards 1–3, and that a negative rebase can DoS finalized claims iftotalValueOutOfLpfalls below that debit (bounded by admin rebase APR).test_withdraw_debitsAmountOfEEth_notAmountPaidis a new offline regression where_amount < _amountOfEEth(down-rebase-style) and asserts the LP debit matches the fulfill credit.Comment fixes:
LpRebaseWrnClaimUnderflowheader now references_amountOfEEth;WithdrawEscrowE2Estep4 comment matches fulfill-credit accounting and points at the new LP test for the divergent case.Reviewed by Cursor Bugbot for commit acc4795. Bugbot is set up for automated code reviews on this repo. Configure here.