# 28827 - \[SC - Insight] Multi requestid claims can trigger DOS Submitted on Feb 28th 2024 at 03:26:42 UTC by @SentientX for [Boost | Puffer Finance](https://immunefi.com/bounty/pufferfinance-boost/) Report ID: #28827 Report type: Smart Contract Report severity: Insight Target: Impacts: * Temporary freezing of funds for at least 1 hour ## Description ## Brief/Intro Claiming multiple withdrawals from Puffer Vault using multiple requestid's in an array can lead to denial of service triggered by bottleneck race conditions in corresponding function in Lido handling claim request. ## Vulnerability Details When multisig action initiatesWithdrawal from Lido by calling `function initiateETHWithdrawalsFromLido(uint256[] calldata amounts) external`, users can claim their withdrawals based on requestid's by calling `function claimWithdrawalsFromLido(uint256[] calldata requestIds) external` This function in turn by using this line `_LIDO_WITHDRAWAL_QUEUE.claimWithdrawal(requestIds[i]);` passing the requestId/s as an array to the Lido WithdrawalQueue.sol address `0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1` ``` function claimWithdrawal(uint256 _requestId) external { _claim(_requestId, _findCheckpointHint(_requestId, 1, getLastCheckpointIndex()), msg.sender); _emitTransfer(msg.sender, address(0), _requestId); } ``` This may create bottle necks that can get users funds stuck or create a Denial of Service when a user pass a large number of requestid's at once. Example: 1. Alice mints seperate amounts of puffEth example at 10 different times. 2. Multisig calls initiateWithdraw from Lido 3. Alice attempts to claim all 10 withdrawals and this creates a denial of service. Please see POC. Consider the following solution: Lido, has options of bulk claims using `function claimWithdrawalsTo(uint256[] calldata _requestIds, uint256[] calldata _hints, address _recipient)` and their can be a seperate function `function claimWithdrawalFromLido(requestId) external` To handle individual withdrawals from Lido. This should prevent against the above scenario at improve user experience. ## Impact Details Denial of Service can be caused if users attempt to claim multiple request at a time. ## References Result after running POC: ``` ├─ [31770] 0xD9A442856C234a39a81a089C06451EBAa4306a72::claimWithdrawalsFromLido([27173 [2.717e4], 27174 [2.717e4], 27176 [2.717e4], 27177 [2.717e4], 27178 [2.717e4], 27179 [2.717e4], 27180 [2.718e4], 27181 [2.718e4], 27182 [2.718e4], 27183 [2.718e4]]) │ ├─ [31316] 0x39Ca0a6438B6050ea2aC909Ba65920c7451305C1::claimWithdrawalsFromLido([27173 [2.717e4], 27174 [2.717e4], 27176 [2.717e4], 27177 [2.717e4], 27178 [2.717e4], 27179 [2.717e4], 27180 [2.718e4], 27181 [2.718e4], 27182 [2.718e4], 27183 [2.718e4]]) [delegatecall] │ │ ├─ [6096] 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1::claimWithdrawal(27173 [2.717e4]) │ │ │ ├─ [5512] 0xE42C659Dc09109566720EA8b2De186c2Be7D94D9::claimWithdrawal(27173 [2.717e4]) [delegatecall] │ │ │ │ └─ ← │ │ │ └─ ← │ │ └─ ← ``` ## Proof of Concept 1. mkdir pufferPOC 2. cd pufferPOC 3. delete test folder and Counter.sol and Counter.t.sol 4. place poc and interfaces in src folder run with `forge test --contracts ./src/pufferPOC-3.sol -vvvv --evm-version shanghai` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/puffer-finance/28827-sc-insight-multi-requestid-claims-can-trigger-dos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.