FLOW-1: Double-refund on failed CREATE/DEPOSIT operations

[liobrasil]

Severity: High

Files Affected

• cadence/contracts/FlowYieldVaultsEVM.cdc
• solidity/src/FlowYieldVaultsRequests.sol

Description

When a CREATE/DEPOSIT request fails after funds have been moved to Cadence, the returnFundsAndFail() function bridges funds directly back to the user's EVM address via bridgeFundsToEVMUser(), then calls completeProcessing() with success: false.

The EVM contract then credits the same amount to pendingUserBalances, allowing the user to claim via claimRefund(). The user receives funds twice: once via direct bridge, once via refund claim.

This is exploitable whenever the COA holds sufficient balance of the refund token (operational funding, dust accumulation, residual balances).

Recommendation

Implement single-path refund semantics. Either bridge directly to user OR credit pendingUserBalances, never both.

---

Parent Issue: #15

[liobrasil]

Fixed in commit 8ce7203

Refunds now use pull-based model via claimableRefunds mapping. Failed requests credit claimableRefunds (not pendingUserBalances), eliminating double-refund path.

[vishalchangrani]

https://consensysdiligence.github.io/smart-contract-best-practices/development-recommendations/general/external-calls/#favor-pull-over-push-for-external-calls

As a security practice it was suggested we do claim vs push funds.

[vishalchangrani]

@liobrasil - please add link to E2E test. ty.