Description

The queueWithdraw() function does not validate that the shares parameter is nonzero. Consequently, a user can call queueWithdraw() with a shares value of zero. This action adds an unnecessary withdrawal request to the queue.

function queueWithdraw(uint256 shares) external {
    if (queuedShares[msg.sender] + shares > balanceOf(msg.sender)) revert InsufficientBalance();

    uint256 id = ++_withdrawCounter;

    queuedShares[msg.sender] += shares;
    queuedWithdraw[id] = Withdrawal(msg.sender, shares);
    _withdrawQueue.push(id);

    emit WithdrawQueued(id, msg.sender, shares);
}

Impact

If an administrator processes withdrawals according to a schedule for the processWithdraws function — for example, processing 100 withdrawals per hour — a malicious actor could add numerous zero-share withdrawal requests to the queue. This could delay withdrawals for legitimate users. Additionally, the administrator would incur higher gas fees for processWithdraws if many such malicious requests are present.

Recommendations

We recommend adding a check to ensure that the input shares parameter is greater than zero.

Remediation

This issue has been acknowledged by Liquid Labs, Inc., and a fix was implemented in commit c02f073e↗.