0xlookman - During a withdraw in L1Staking.sol when a user is not able to claim his amount before the withdrawalLockBlocks, Eth will forever be locked in this contract.

[sherlock-admin4]

0xlookman

Medium

During a withdraw in L1Staking.sol when a user is not able to claim his amount before the withdrawalLockBlocks, Eth will forever be locked in this contract.

0xlookman

Medium

Summary

When unstaking Eth from the L1Staking contract, users are given a window between the current block(the one they are withdrawing from) upto a period when withdrawalLockBlocks ends.

After this block in case a user has not withdrawn his eth, it will forever be locked in the contract with nothing like a rescue function to withdraw it.

Vulnerability Detail

The withdraw process in L1Staking takes places in two steps, a staker first call L1Staking.sol::Withdraw and then L1Staking.sol::claimWithdrawal.

But calling L1Staking.sol::claimWithdrawal is time limited since after withdrawalLockBlocks number of blocks, the user will nolonger be allowed to call and withdraw his amount.

     require(withdrawals[_msgSender()] < block.number, "withdrawal locked");

• https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/staking/L1Staking.sol#L309

The above check ensures that a user won't be able to to withdraw after withdrawalLockBlocks, hence the value will forever remain in the contract.

The problem arises that this contract lacks a function that can help to rescue such tokens or value meaning that this eth will forever be locked in the contract.

Impact

Mishandling of Eth and Loss of tokens

Code Snippet

• https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/l1/staking/L1Staking.sol#L309

Tool used

Manual Review

Recommendation

Consider implementing a function that can recover tokens that are stuck in this contract.