This repository has been archived by the owner on Oct 1, 2023. It is now read-only.
immeas - no way for users to dequeue their deposits #295
Labels
Non-Reward
This issue will not receive a payout
immeas
medium
no way for users to dequeue their deposits
Summary
There are plenty of ways that the deposit queue might get stuck. Whenever it is stuck, there is no way for a user to withdraw their queued funds.
Vulnerability Detail
When a user queues a deposit they pay upfront for the shares which someone else will mint later. If the minting of shares doesn't happen or is prevented from happening the user is left with funds in the vault but no corresponding shares to withdraw them with. Hence the funds might be locked in the vault forever.
Or simply the market has changed and they no longer want to hedge against depeg/supply collateral because their deposit wasn't minted into the correct epoch.
Impact
Due to unforeseen circumstances items might get stuck on the
depositQueue
. This would cause user funds to be locked there forever.Or less dramatic a user might just have a change of heart and not want to partake in the next epoch.
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L494-L500
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L331-L350
Tool used
Manual Review
Recommendation
I recommend the protocol adds a way for users to withdraw their queued deposits.
Duplicate of #68
The text was updated successfully, but these errors were encountered: