openzeppelin-contracts icon indicating copy to clipboard operation
openzeppelin-contracts copied to clipboard
verified publisher icon OpenZeppelin

ERC4626: Sweep residual assets on final withdraw to avoid stranded funds

Open viktorking7 opened this issue 2 months ago • 2 comments

Description

Prevents stranded assets when totalSupply == 0 by sweeping any residual underlying tokens to the current receiver on the last withdraw, and reflecting the swept amount in the Withdraw event.

Direct donations or rounding can leave non-zero totalAssets with zero shares, causing future deposits to mint 0 shares and making assets effectively stuck.

viktorking7 avatar Nov 11 '25 13:11 viktorking7

⚠️ No Changeset found

Latest commit: 2d1ce226cb38fb3f074b55d9c88ce14ec341c6db

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

changeset-bot[bot] avatar Nov 11 '25 13:11 changeset-bot[bot]

Walkthrough

The ERC4626 contract's _withdraw method was modified to handle residual asset balances. After burning shares and transferring assets, the implementation now sweeps any remaining asset balance to the receiver when the vault is emptied (when totalSupply() equals zero). The total amount swept is added to withdrawnAssets, and the Withdraw event emission was updated to report withdrawnAssets instead of the original assets parameter to accurately reflect the total amount transferred, including swept residuals. The deposit path remains unchanged.

Possibly related PRs

  • OpenZeppelin/openzeppelin-contracts#5970: Both PRs modify the ERC4626 _withdraw flow, with this PR adding post-withdrawal sweeping of residual assets while the other introduces overridable _transferOut for direct transfer operations.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the main change: sweeping residual assets on final withdraw to prevent stranded funds in ERC4626, which directly matches the implementation in the changeset.
Description check ✅ Passed The description clearly explains the problem (stranded assets when totalSupply == 0), the solution (sweeping residual tokens), and the motivation (direct donations or rounding), all directly related to the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6308fdc5e8e0d5e8a94dc9d5d4c79f6331334c81 and 2d1ce226cb38fb3f074b55d9c88ce14ec341c6db.

📒 Files selected for processing (1)
  • contracts/token/ERC20/extensions/ERC4626.sol (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)
  • GitHub Check: Redirect rules - solidity-contracts
  • GitHub Check: Header rules - solidity-contracts
  • GitHub Check: Pages changed - solidity-contracts
  • GitHub Check: tests-upgradeable
  • GitHub Check: coverage
  • GitHub Check: tests-foundry
  • GitHub Check: slither
  • GitHub Check: tests
  • GitHub Check: halmos
🔇 Additional comments (1)
contracts/token/ERC20/extensions/ERC4626.sol (1)

298-308: Great dust-sweep addition

Sweeping the leftover balance once the last shares are burned cleanly fixes the stranded-asset edge case without widening the reentrancy surface, and updating the event to report the actual amount withdrawn keeps downstream accounting intact. Nicely done.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Nov 11 '25 13:11 coderabbitai[bot]

I'm worried this would possibly be used by an attacker to extract value that is supposed to be burned.

This change give access to all the rounding error that accumulate through the life of the contract. It also allows recovering the the part of donations that is lost to the offset, possibly negating the effectiveness of the protection.

Amxx avatar Dec 15 '25 14:12 Amxx