Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1125 wardens!
Receive the email at any hour!
Users can lose access to funds due to minimum withdrawal limits.
mediumLines of code
Vulnerability details
Impact
The InstantManager contract restricts deposits and withdrawals to certain minimum amounts. Users can deposit a minimum of 100k USDC tokens, and withdraw a minimum of 50k USDC tokens.
The issue is that the minimum withdrawal limit can lead to users losing access to part of their funds. Say a user deposits 100k USDC tokens and then later withdraws 60k USDC tokens. Now, the user only has 40kUSDC worth holdings in their account, and cannot withdraw the full amount. This is because it falls below the minimum withdrawal limit of 50k USDC tokens. The user is now stuck with 40k USDC tokens in their account, and cannot withdraw them.
The only option the user has is to deposit 100k USDC more, and then withdraw the whole 140k USDC amount. This will incur fees on the extra 100k USDC the user brings as well. Thus this is a medium severity issue.
Proof of Concept
The scenario can be recreated in the following steps:
- User ALICE deposits 100k USDC tokens.
- User ALICE withdraws 60k USDC tokens.
- User ALICE tries to withdraw 40k USDC tokens. The contract reverts, as the amount is below the minimum withdrawal limit of 50k USDC tokens.
Tools Used
Manual Review
Recommended Mitigation Steps
Allow users to remove all their funds from the contract even if it is below the minimum limit. Since the protocol now uses a more liquid system such as the BUIDL token, this should be possible and should not affect the protocol's functioning.
Assessed type
Other