n1punp - VUSD's withdrawal request can be skipped if reserve has not enough balance at the moment of processing --> Users can get DoS

[sherlock-admin]

n1punp

high

VUSD's withdrawal request can be skipped if reserve has not enough balance at the moment of processing --> Users can get DoS

Summary

VUSD's withdrawal request can be skipped if reserve has not enough balance at the moment of withdrawal processing

Vulnerability Detail

processWithdrawals function will loop through each withdrawal request made, and will try to process if there's sufficient remaining balance. However, if the balance is insufficient, a fail event will be emitted and the request will simply be skipped (and will never be re-processed again).

Impact

• The withdrawal request made can be frontrunned by other users --> it's possible that every time the user who wanted to withdrawal can always be frontrunned so that the remaining balance is always insufficient -> cannot withdraw forever.

Code Snippet

https://github.com/sherlock-audit/2023-04-hubble-exchange/blob/main/hubble-protocol/contracts/VUSD.sol#L79

Tool used

Manual Review

Recommendation

Possible mitigations are:

1. always ensure balance is available for withdraw, or
2. re-queue the failed ones (append the withdrawal request if the request fails instead of just skipping).

Duplicate of #162