Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Lido Fixed Income>Threat Model>finalizeVaultEndedWithdrawals
GeneralOverview
Findings
Critical (2)
High (3)
Medium (2)
Low (5)
Informational (2)
DiscussionConsider transferring stETH instead of ETHConfusing math in finalizeVaultEndedWithdrawalsPremium claim requirement ensures safety tooComment implies more centralization than existsUse batch withdrawals for gas savingsUnused event `VaultCodeSet`
Threat ModelWhat are threat models?
LidoVault.solclaimFixedPremiumdepositfinalizeVaultEndedWithdrawalsfinalizeVaultNotStartedFixedWithdrawalsfinalizeVaultOngoingFixedWithdrawalsfinalizeVaultOngoingVariableWithdrawalsgetFixedOngoingWithdrawalRequestIdsgetFixedOngoingWithdrawalRequestTimestampinitializeisEndedisStartedmaxStETHWithdrawalAmountminStETHWithdrawalAmountstakingBalancewithdraw
VaultFactory.sol
Audit ResultsSummary

Function: finalizeVaultEndedWithdrawals(uint256 side)

This function is to finailize withdrawals when the vault is ended.

Inputs

  • side

    • Control: Arbitrary.

    • Constraints: It is expected FIXED or VARIABLE value.

    • Impact: The value of side.

Function call analysis

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> this.claimWithdrawals(msg.sender, requestIds) -> this._claimWithdrawals(user, requestIds) -> LidoVault.lidoWithdrawalQueue.claimWithdrawal(requestIds[i])

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> this.calculateFixedEarlyExitFees(upfrontPremium, request.timestamp) -> Math.mulDiv(this.endTime > timestampRequested ? this.endTime - timestampRequested : 0, 1000000000000000000, this.duration)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> this.calculateFixedEarlyExitFees(upfrontPremium, request.timestamp) -> Math.mulDiv(upfrontPremium, Math.mulDiv(1 + this.earlyExitFeeBps, remainingProportion, 1000000000000000000), 10000)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> this.calculateFixedEarlyExitFees(upfrontPremium, request.timestamp) -> Math.mulDiv(1 + this.earlyExitFeeBps, remainingProportion, 1000000000000000000)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> this.calculateFixedEarlyExitFees(upfrontPremium, request.timestamp) -> Math.mulDiv(upfrontPremium, timestampRequested - this.startTime, this.duration)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.claimOngoingFixedWithdrawals() -> this.claimFixedVaultOngoingWithdrawal(fixedUser) -> Math.min(earlyExitFees, amountWithdrawn)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.applyProtocolFee(this.vaultEndedStakingEarnings) -> Math.mulDiv(stakingEarnings, this.protocolFeeBps, 10000)

    • What is controllable? None.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.vaultEndedWithdraw(side) -> this.stakingBalance() -> LidoVault.lido.balanceOf(address(this))

    • What is controllable? side.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.vaultEndedWithdraw(side) -> this.requestEntireBalanceWithdraw(msg.sender) -> this.requestWithdrawViaETH(user, stETHAmount) -> this._requestWithdraw(user, stETHAmount) -> LidoVault.lido.approve(address(LidoVault.lidoWithdrawalQueue), stETHAmount)

    • What is controllable? side.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.vaultEndedWithdraw(side) -> this.requestEntireBalanceWithdraw(msg.sender) -> this.requestWithdrawViaETH(user, stETHAmount) -> this._requestWithdraw(user, stETHAmount) -> LidoVault.lidoWithdrawalQueue.requestWithdrawals(amounts, address(this))

    • What is controllable? side.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.vaultEndedWithdraw(side) -> Math.mulDiv(this.fixedBearerToken[msg.sender], this.vaultEndedFixedDepositsFunds, this.fixedLidoSharesTotalSupply())

    • What is controllable? side.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

  • this.vaultEndedWithdraw(side) -> this.calculateVariableWithdrawState(totalEarnings, this.variableToWithdrawnStakingEarnings[msg.sender]) -> Math.mulDiv(bearerBalance, totalEarnings, this.variableSideCapacity)

    • What is controllable? side.

    • If the return value is controllable, how is it used and how can it go wrong? None.

    • What happens if it reverts, reenters or does other unusual control flow? N/A.

Zellic © 2025Back to top ↑