bin2chen - mintDepositInQueue() queue funds may be locked

[sherlock-admin]

bin2chen

high

mintDepositInQueue() queue funds may be locked

Summary

if a malicious receiver is a contract and reverts directly onERC1155Received, which causes mintDepositInQueue() revert and the funds of the users in front of this receiver will be locked

Vulnerability Detail

mintDepositInQueue() is used to execute deposit requests that are in the queue.
The code is as follows:

    function mintDepositInQueue(uint256 _epochId, uint256 _operations)
        external
        epochIdExists(_epochId)
        epochHasNotStarted(_epochId)
        nonReentrant
    {
        // make sure there is already a new epoch set
        // epoch has not started
        QueueItem[] memory queue = depositQueue;
        uint256 length = depositQueue.length;

        // dont allow minting if epochId is 0
        if (_epochId == 0) revert InvalidEpochId();

        if (length == 0) revert OverflowQueue();
        // relayers can always input a very big number to mint all deposit queues, without the need to read depostQueue length first
        if (_operations > length) _operations = length;

        // queue is executed from the tail to the head
        // get last index of queue
        uint256 i = length - 1;
        while ((length - _operations) <= i) {

            _mintShares( //<---------------If receiver is a contract, perform a revert at onERC1155Received(),will block queue
                queue[i].receiver,
                _epochId,
                queue[i].assets - relayerFee
            );
            emit Deposit(
                msg.sender,
                queue[i].receiver,
                _epochId,
                queue[i].assets - relayerFee
            );
            depositQueue.pop();
            if (i == 0) break;
            unchecked {
                i--;
            }
        }

        emit RelayerMinted(_epochId, _operations);

        asset.safeTransfer(msg.sender, _operations * relayerFee);
    }

The queue will be executed by FILO
But there is a problem here, _mintShares() may forever revert
if a malicious receiver is a contract and reverts directly onERC1155Received, which causes mintDepositInQueue() revert and the queue to be blocked and the funds of the users in front of this receiver will be locked
Example:
depositQueue[0] = jack , assets=100
depositQueue[1] = bob, assets=100
depositQueue[2] = Alice , assets=1 -----> Alice is a contract and revert in onERC1155Received()
depositQueue[3].....

In this case, jack and bob's funds will be locked

****Note: mintRollovers() also has the same problem

Impact

queue funds may be locked

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L334

Tool used

Manual Review

Recommendation

Suggest adding a methods to the factory.sol , it can remove a certain index of depositQueue from Carousel

Duplicate of #468