Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

immeas - no way for users to dequeue their deposits #295

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

immeas - no way for users to dequeue their deposits #295

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023

immeas

medium

no way for users to dequeue their deposits

Summary

There are plenty of ways that the deposit queue might get stuck. Whenever it is stuck, there is no way for a user to withdraw their queued funds.

Vulnerability Detail

When a user queues a deposit they pay upfront for the shares which someone else will mint later. If the minting of shares doesn't happen or is prevented from happening the user is left with funds in the vault but no corresponding shares to withdraw them with. Hence the funds might be locked in the vault forever.

Or simply the market has changed and they no longer want to hedge against depeg/supply collateral because their deposit wasn't minted into the correct epoch.

Impact

Due to unforeseen circumstances items might get stuck on the depositQueue. This would cause user funds to be locked there forever.

Or less dramatic a user might just have a change of heart and not want to partake in the next epoch.

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L494-L500

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L331-L350

Tool used

Manual Review

Recommendation

I recommend the protocol adds a way for users to withdraw their queued deposits.

Duplicate of #68

@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue labels Apr 11, 2023
@sherlock-admin sherlock-admin removed the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Apr 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Development

No branches or pull requests

1 participant