FLOW-3: Cross-VM state desync when completeProcessing fails after successful operation #18
Description
Severity: Medium
Files Affected
cadence/contracts/FlowYieldVaultsEVM.cdcsolidity/src/FlowYieldVaultsRequests.sol
Description
YieldVault ownership is tracked on both EVM (validYieldVaultIds, yieldVaultOwners) and Cadence (yieldVaultsByEVMAddress, yieldVaultOwnershipLookup). If Cadence successfully creates/closes a vault but completeProcessing() fails, the two sides diverge.
This blocks users from subsequent EVM interactions because the EVM registry is not updated despite Cadence state changes. Users cannot create new requests if they've hit the pending limit, and manual intervention is required.
Common Root Cause (shared with FLOW-2 / FLOW-3 / FLOW-6)
startProcessing() transitions PENDING → PROCESSING but does not remove the request from pendingRequestIds / pendingRequestIdsByUser (removal only happens in completeProcessing()). If completeProcessing() reverts (e.g., ERC20 refund approval/transferFrom, or out-of-gas in _removePendingRequest()), the Worker does not revert the Cadence transaction, so Cadence-side state may commit while the EVM request remains PROCESSING in the pending queues. Since cancelRequest()/dropRequests() only operate on PENDING, there is no in-protocol escape hatch.
Example (Cadence commits, EVM finalize fails)
CREATE_YIELDVAULTsucceeds on Cadence and ownership is recorded inyieldVaultsByEVMAddress/yieldVaultOwnershipLookup.- The Worker then calls EVM
completeProcessing(success=true, ...), but the call reverts (e.g., out-of-gas in_removePendingRequest()), so EVM does not updatevalidYieldVaultIds/yieldVaultOwners. - Result: Cadence and EVM ownership registries diverge, and the request can remain stuck in
PROCESSING.
Recommendation
Implement a reconciliation mechanism or admin repair tools to detect and resolve registry divergence. Add monitoring for Cadence success events without corresponding EVM COMPLETED events.
Parent Issue: #15