The queueWithdraw
function lacks a zero-value check for the shares
parameter
Description
The queueWithdraw()
function does not validate that the shares
parameter is nonzero. Consequently, a user can call queueWithdraw()
with a shares
value of zero. This action adds an unnecessary withdrawal request to the queue.
function queueWithdraw(uint256 shares) external {
if (queuedShares[msg.sender] + shares > balanceOf(msg.sender)) revert InsufficientBalance();
uint256 id = ++_withdrawCounter;
queuedShares[msg.sender] += shares;
queuedWithdraw[id] = Withdrawal(msg.sender, shares);
_withdrawQueue.push(id);
emit WithdrawQueued(id, msg.sender, shares);
}
Impact
If an administrator processes withdrawals according to a schedule for the processWithdraws
function — for example, processing 100 withdrawals per hour — a malicious actor could add numerous zero-share withdrawal requests to the queue. This could delay withdrawals for legitimate users. Additionally, the administrator would incur higher gas fees for processWithdraws
if many such malicious requests are present.
Recommendations
We recommend adding a check to ensure that the input shares
parameter is greater than zero.
Remediation
This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit c02f073e↗.