The audit does not ensure that it has identified every security issue in the smart contracts, and it should not be seen as a confirmation that there are no more vulnerabilities. While we have conducted an analysis to the best of our ability, it is our recommendation for high-value contracts to commission several independent audits, a public bug bounty program, as well as continuous onchain security auditing and monitoring through Fuzzland Blaz+ Analysis and Alert. Additionally, this report should not be interpreted as personal financial advice or recommendations.
During the withdrawal process, the contract checks that the entity requesting the withdrawal is not frozen. However, there is no verification in place to ensure that the withdrawer (the recipient of the withdrawn funds or shares) is not frozen. Additionally, the completeQueuedWithdrawal function allows a frozen user to receive shares by withdrawing them from another user who is not frozen, contrary to the general logic where a frozen user cannot stake, receive shares, or increase shares.
// src\\contracts\\core\\StrategyManager.sol
function queueWithdrawal(
uint256[] calldata strategyIndexes,
IStrategy[] calldata strategies,
uint256[] calldata shares,
address withdrawer,
bool undelegateIfPossible
)
external
onlyWhenNotPaused(PAUSED_WITHDRAWALS)
onlyNotFrozen(msg.sender)//@audit
nonReentrant
returns (bytes32)
{
require(strategies.length == shares.length, "StrategyManager.queueWithdrawal: input length mismatch");
require(withdrawer != address(0), "StrategyManager.queueWithdrawal: cannot withdraw to zero address");
Recommendations
It is recommended to implement checks to ensure that the recipient (withdrawer) of withdrawn funds or shares is not frozen, in line with the standard logic where a frozen user cannot stake, receive shares, or increase shares. Additionally, it is advisable to review and update the withdrawal logic to align with these principles.