Assessment reportsPublic findings
Back to Zellic site
Assessment reports>EtherFi>Medium findings>Queued withdrawals are not claimed by ,forcePartialWithdraw
GeneralOverview
Findings
Critical (5)
High (1)
Medium (3)BNFT holder is compared with an incorrect addressQueued withdrawals are not claimed by `forcePartialWithdraw`Deposit cancellation may fail
Low (1)
Informational (1)
DiscussionUnused variables could be removed
Threat ModelWhat are threat models?EtherFiNode.solEtherFiNodesManager.solLiquidityPool.solStakingManager.sol
Audit ResultsSummary
Category: Coding Mistakes

Queued withdrawals are not claimed by forcePartialWithdraw

Medium Severity
Medium Impact
Medium Likelihood

Description

The function forcePartialWithdraw could be called by an admin to force a partial withdrawal. This function internally calls _getTotalRewardsPayoutsFromSafe, which in turn calls getRewardsPayouts in the etherFiNode manager, which calls withdrawableBalanceInExecutionLayer to calculate the rewards to be distributed. If restaking is enabled, the function withdrawableBalanceInExecutionLayer would add all the claimable withdrawals from the delayedWithdrawalRouter to the current balance of the etherFiNode.

The function forcePartialWithdraw does not claim the queued withdrawals first, but the queued withdrawals are added to be distributed to the different entities. As the function does not claim these queued withdrawals first, there would not be enough tokens in the etherFiNode contract to be distributed amongst the entities, and this call would revert.

Impact

The function forcePartialWithdraw would revert in certain cases.

Recommendations

We recommend calling claimQueuedWithdrawals to claim the queued withdrawals in forcePartialWithdraw.

Remediation

This issue has been acknowledged by EtherFi, and a fix was implemented in commit 3c2a6b50.

Zellic © 2025Back to top ↑