Skip to content

FLOW-2: No recovery mechanism for stuck PROCESSING requests #17

New issue
New issue
Closed
Closed
FLOW-2: No recovery mechanism for stuck PROCESSING requests#17
Assignees
nvdtf
Labels
HighHigh severity security finding⎈ QuantStampQuantStamp audit finding
@liobrasil

Description

@liobrasil
liobrasil
opened on Jan 19, 2026

Severity: High

Files Affected

  • solidity/src/FlowYieldVaultsRequests.sol
  • cadence/contracts/FlowYieldVaultsEVM.cdc

Description

The dropRequests() function only operates on requests in PENDING status. If a request transitions to PROCESSING via startProcessing() but completeProcessing() never succeeds, the request and escrowed funds become permanently stuck.

The Cadence worker treats completeProcessing() failure as a soft failure (emits event, continues) rather than aborting. This means Cadence-side state can commit while the EVM request remains in PROCESSING with no on-chain recovery path.

While one-time failures can be resolved by manually retrying completeProcessing(), there is no on-chain timeout or force-finalize mechanism for cases where the failure persists (see FLOW-4 for ERC20-specific cases).

Common Root Cause (shared with FLOW-2 / FLOW-3 / FLOW-6)

startProcessing() transitions PENDING → PROCESSING but does not remove the request from pendingRequestIds / pendingRequestIdsByUser (removal only happens in completeProcessing()). If completeProcessing() reverts (e.g., ERC20 refund approval/transferFrom, or out-of-gas in _removePendingRequest()), the Worker does not revert the Cadence transaction, so Cadence-side state may commit while the EVM request remains PROCESSING in the pending queues. Since cancelRequest()/dropRequests() only operate on PENDING, there is no in-protocol escape hatch.

Example (permanently stuck PROCESSING)

  1. A CREATE_YIELDVAULT/DEPOSIT_TO_YIELDVAULT request is picked up and startProcessing() succeeds (status → PROCESSING; funds transferred to the COA).
  2. The Cadence operation completes (success or failure), but the subsequent EVM completeProcessing() call reverts every time (e.g., out-of-gas in _removePendingRequest() due to a very large FIFO queue).
  3. Result: the request stays PROCESSING and cannot be cancelled/dropped (both require PENDING), so funds/state remain stuck without an admin recovery path.

Recommendation

Add an admin recovery mechanism for long-stuck PROCESSING requests with appropriate timeout and accounting checks.

Parent Issue: #15

Metadata

Metadata

Assignees

Labels

HighHigh severity security finding⎈ QuantStampQuantStamp audit finding

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions