karsar - user who request withdraw before vault start balance is still accounted in the vault .

[sherlock-admin4]

karsar

Medium

user who request withdraw before vault start balance is still accounted in the vault .

Summary

if the user whos withdraw request was set before the vault started and withdrawn after vault start will increase fixedSidestETHOnStartCapacity .

Vulnerability Detail

If the user request withdraw before vault start which increases the fixedSidestETHOnStartCapacity and that fixedSidestETHOnStartCapacity is used for calculating withdraw amount .
if the user has deposited a large amount of deposit and request before the vault starts then the user who withdraw will be calculated with that large staking balance which could lead to wrong price being withdrawn

In Withdraw function the fixedETHDeposits is used ,

             uint256 fixedETHDeposits = fixedSidestETHOnStartCapacity;
      
        uint256 withdrawAmount = fixedETHDeposits.mulDiv(fixedBearerToken[msg.sender], fixedLidoSharesTotalSupply());
        uint256 lidoStETHBalance = stakingBalance();

        if (fixedETHDeposits > lidoStETHBalance) {
     
          // our staking balance if less than our  stETH deposits at the start of the vault - only return a proportional amount of the balance to the fixed user
          withdrawAmount = lidoStETHBalance.mulDiv(fixedBearerToken[msg.sender], fixedLidoSharesTotalSupply());
        }

Impact

incorrect accounting

Code Snippet

https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L488

Tool used

Manual Review

Recommendation

dont account balance of user who has withdrawn before vault staarted