eeyore - Fixed side users will not be able to withdraw during the `before the Vault starts` period in an edge case scenario.

[sherlock-admin3]

eeyore

Medium

Fixed side users will not be able to withdraw during the before the Vault starts period in an edge case scenario.

Summary

The README states the following for the section What properties/invariants do you want to hold even if breaking them has a low/unknown impact?:

Users on both fixed and variable sides can withdraw their initial capital before the Vault starts.

In the case where a user deposits in the fixed side and calls withdraw(), their deposit will be converted into a Lido withdrawal request that will be placed in the Lido withdrawal queue.

However, there is no restriction preventing the user from depositing again into the fixed side. In this case, they will not be able to call withdraw() again, even if the Vault has not started.

As the Lido withdrawal finalization time is unknown, it could occur after the Vault starts, leading to a breach of the protocol invariant, as the user will not be able to withdraw their initial capital before the Vault starts.

Root Cause

Missing validation in the deposit() function to check if the user has no withdrawal request on the Fixed side:
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L336-L365

Internal pre-conditions

• The user deposited to the fixed side and called withdraw() before the Vault started.
• The user deposited again to the fixed side.

External pre-conditions

• The Lido withdrawal request is not processed.

Attack Path

1. The user tries to call withdraw() before the Vault starts, but the transaction is reverted.

Impact

• Broken protocol invariant.

PoC

Not needed.

Mitigation

Add validation in the deposit() function to prevent a user from depositing when the fixedToVaultNotStartedWithdrawalRequestIds array is not empty.