Description

The withdraw and redeem functions in the contract Vault call the function _performWithdraw, which contains an unbounded loop through the withdrawal queue:

uint256 toWithdraw = assets;
uint256 len = _queue.withdrawQueue.length;
while (toWithdraw > 0 && len > 0)

If the withdrawal queue contains many pools and the early pools in the queue are illiquid or encounter errors during withdrawal, the function could potentially run out of gas or fail to access available liquidity that exists later in the queue.

Impact

In edge cases where:

• The withdrawal queue is long

• Early pools are consistently illiquid or reverting

• Significant liquidity exists in pools later in the queue

Users might be temporarily unable to withdraw their funds even though sufficient liquidity exists in the system. However, this scenario requires a specific misconfiguration of the withdrawal queue ordering.

while (toWithdraw > 0 && len > 0) {
    // If early pools fail or have no liquidity, loop continues
    // Could theoretically exhaust gas before reaching liquid pools
}

Recommendations

Consider implementing a maximum iteration limit or gas checkpoint to ensure the function remains bounded. The vault manager can also mitigate this by properly ordering the withdrawal queue with most liquid pools first.

Remediation