MaxDeposit Returns Incorrect Value Leading to Potential Protocol Insolvency

[hats-bug-reporter[bot]]

Github username: -- Twitter username: Oxgreed_ Submission hash (on-chain): 0xd54a01bc9554cceed67ff36024b05290f88699e4cb4e2101ea146a013df3a344 Severity: medium

Description:

Description

The maxDeposit() function in the InvestToken contract incorrectly returns type(uint256).max when not paused, violating EIP-4626 specifications.

According to EIP-4626, the maxDeposit() function MUST return the maximum amount of assets that can actually be deposited without causing a revert. The current implementation returns the maximum possible uint256 value without considering any real constraints, which mislead users and integrating protocols about the actual deposit capacity.

The EIP-4626 specification explicitly states that the function:

1. Must not return a value higher than what would actually be accepted (which is not the case here)
2. Should underestimate if necessary
3. Must return 0 if deposits are disabled

The current implementation only handles the paused state correctly (returning 0). If a user deposit the return value of maxDeposit() the deposit would fail, hash some token might already exist in his balance.

Recommendation

The maxDeposit() function should be modified to return a realistic maximum deposit amount that considers all relevant constraints.

Additional constraints should be added based on the specific requirements and limitations of the protocol. The function should always return the most conservative (lowest) value that guarantees a successful deposit.

[AndreiMVP]

I don't understand the issue here, maxDeposit() returns zero when token is paused