VaultManager does not properly enforce `_minMintAmount`

[hats-bug-reporter[bot]]

Github username: @deadrosesxyz Twitter username: @deadrosesxyz Submission hash (on-chain): 0x1d56f602663c938c639dbf2b33efd6e3f995ab80fc5aea82d8e39fa8ec246dcf Severity: medium

Description: Description

VaultManager does not properly enforce _minMintAmount

Issue details

When depositing user inputs _minMintAmount which is the least amount of PortfolioToken they're willing to accept. However, if we look at the code of _depositAndMint, we'll see that the min mint check is done before fees are charged.

    // Ensure the minted amount meets the user's minimum expectation to mitigate slippage.
    _verifyUserMintedAmount(tokenAmount, _minMintAmount);

    // Mint the calculated portfolio tokens to the user, applying any cooldown periods.
    tokenAmount = _mintTokenAndSetCooldown(_depositFor, tokenAmount);

This would allow for a user to receive less tokens than the minimum they've specified, breaking a core invariant Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[langnavina97]

Could you please provide a PoC? @deadrosesxyz