User Will Be Repeatedly Subject to Minimum Deposit Condition
Summary
Users (except those approved by an admin) are required to meet a minimum deposit for their first deposit, but in reality, every subsequent deposit after withdrawing all funds will also be subject to this minimum deposit condition.
Vulnerability Detail
The variable minAmountToDepositInEuro and its documentation specify that the first deposit of a user must meet a minimum value (e.g., 100,000 EUR). However, not only the first deposit, but every subsequent deposit after the user has withdrawn all their funds will be checked against this minimum deposit condition.
File: midas-contracts/contracts/DepositVault.sol
32: /**
33: * @notice minimal USD amount in EUR for first user`s deposit
34: */
35: uint256 public minAmountToDepositInEuro;
Docs:
Minimum Deposit Check: The minimum deposit threshold is only applied to first-time depositors due to the condition in the validateAmountUsdIn() function. This is intended, as this validation is only required for a user's first deposit.
Below are the conditions responsible for checking the deposit amount. As seen, the condition is based on the user's total deposit, not whether it is the first deposit. This will result in the user being required to meet the minimum deposit condition again after withdrawing all their funds. Only an admin can set addresses that are exempt from the minimum deposit via isFreeFromMinDeposit.
File: midas-contracts/contracts/DepositVault.sol
155: function _validateAmountUsdIn(address user, uint256 amountUsdIn)
156: internal
157: view
158: {
159: if (totalDeposited[user] != 0) return; //@audit not only first
160: require(
161: amountUsdIn >= minAmountToDepositInUsd(),
162: "DV: usd amount < min"
163: );
164: }
Impact
After every complete withdrawal of funds, the user will have to meet the minimum deposit condition again, even though the documentation and described behavior indicate that this should only be required for the first deposit.
Implement a mechanism that automatically adds a user to isFreeFromMinDeposit after a successful first deposit or introduce a similar mechanism dedicated solely to this task.
PNS
medium
User Will Be Repeatedly Subject to Minimum Deposit Condition
Summary
Users (except those approved by an admin) are required to meet a minimum deposit for their first deposit, but in reality, every subsequent deposit after withdrawing all funds will also be subject to this minimum deposit condition.
Vulnerability Detail
The variable
minAmountToDepositInEuroand its documentation specify that the first deposit of a user must meet a minimum value (e.g., 100,000 EUR). However, not only the first deposit, but every subsequent deposit after the user has withdrawn all their funds will be checked against this minimum deposit condition.Docs:
Below are the conditions responsible for checking the deposit amount. As seen, the condition is based on the user's total deposit, not whether it is the first deposit. This will result in the user being required to meet the minimum deposit condition again after withdrawing all their funds. Only an admin can set addresses that are exempt from the minimum deposit via
isFreeFromMinDeposit.Impact
After every complete withdrawal of funds, the user will have to meet the minimum deposit condition again, even though the documentation and described behavior indicate that this should only be required for the first deposit.
Code Snippet
DepositVault.sol - Line 33
Tool used
Manual Review
Recommendation
Implement a mechanism that automatically adds a user to
isFreeFromMinDepositafter a successful first deposit or introduce a similar mechanism dedicated solely to this task.