The attacker can deplete daily withdrawal limit by taking flash loan, making a deposit and an immediate withdrawal. There is no risks or fees involved for the attacker. This behavior prevents benign users from redeeming/withdrawing from the vault.
By default there is a 100 ETH daily limit for withdrawal.
function initialize() public reinitializer(2) {
// In this initialization, we swap out the underlying stETH with WETH
ERC4626Storage storage erc4626Storage = _getERC4626StorageInternal();
erc4626Storage._asset = _WETH;
_setDailyWithdrawalLimit(100 ether); // @audit
_updateDailyWithdrawals(0);
}
To mitigate the issue:
Replenish the daily limit whenever a mint/deposit occur.
Prohibit flash deposit-redeem actions taking place in one tx.
Proof of Concept
To run the PoC place the file inside test/Integration/Immunefi.fork.t.sol and run the following command.