Incorrect calculation in getCalculateVariableWithdrawStateWithStakingBalance function
Summary
getCalculateVariableWithdrawStateWithStakingBalance function is using wrong variable for fixedETHDeposits which leads to incorrect calculation.
Vulnerability Detail
getCalculateVariableWithdrawStateWithStakingBalance function is implemented for variable users who wants to know how much yield is accrued for them from staking balance. So that variable users can know their earnings from staking balance at present.
For calculating variable users yield getCalculateVariableWithdrawStateWithStakingBalance function gets total earnings generated from staking in LIDO. For that they get current staking balance in lidoStETHBalance variable and fixed eth deposit in fixedETHDeposits variable and then deducting them to get earnings.
The problem occurs because they get fixedETHDeposits from variable called fixedETHDepositTokenTotalSupply. Because this variable is tracking fixed deposits till vault starts. If any fixed deposit user withdraw his eth after vault has started then it will be not deducted in fixedETHDepositTokenTotalSupply variable which leads to incorrect calculation.
function getCalculateVariableWithdrawStateWithStakingBalance(address user) public view returns (uint256) {
...
@> uint256 fixedETHDeposits = fixedETHDepositTokenTotalSupply;
...
}
Vulnerability Flow:
Soppose vault has started with 1000 eth fixed side capacity and 30 eth variable side capacity (values taken from test file values).
Now if any fixed side user withdraw his 500 eth deposits from the vault before vault has ended.
After that if varible user wants to know his yield from staking balance so he will call getCalculateVariableWithdrawStateWithStakingBalance function.
But fixedETHDepositTokenTotalSupply variable is not updated and will give 1000 eth balance.
And current staking eth balance will be (500 + yield on 500) because half fixed deposit is withdrawn.
So that it will revert because of lidoStETHBalance > fixedETHDeposits [(500+yield) - 1000].
Also, if fixed deposit withdraw is small then yield of remaining then it will give wrong value of earnings.
Impact
Variable user cannot get correct amount to withdraw from staking earnings.
Abhan1041
Medium
Incorrect calculation in
getCalculateVariableWithdrawStateWithStakingBalancefunctionSummary
getCalculateVariableWithdrawStateWithStakingBalancefunction is using wrong variable forfixedETHDepositswhich leads to incorrect calculation.Vulnerability Detail
getCalculateVariableWithdrawStateWithStakingBalancefunction is implemented for variable users who wants to know how much yield is accrued for them from staking balance. So that variable users can know their earnings from staking balance at present.For calculating variable users yield
getCalculateVariableWithdrawStateWithStakingBalancefunction gets total earnings generated from staking in LIDO. For that they get current staking balance inlidoStETHBalancevariable and fixed eth deposit infixedETHDepositsvariable and then deducting them to get earnings.The problem occurs because they get
fixedETHDepositsfrom variable calledfixedETHDepositTokenTotalSupply. Because this variable is tracking fixed deposits till vault starts. If any fixed deposit user withdraw his eth after vault has started then it will be not deducted infixedETHDepositTokenTotalSupplyvariable which leads to incorrect calculation.Vulnerability Flow:
getCalculateVariableWithdrawStateWithStakingBalancefunction.fixedETHDepositTokenTotalSupplyvariable is not updated and will give 1000 eth balance.Impact
Variable user cannot get correct amount to withdraw from staking earnings.
Code Snippet
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/38dd9c8436db341c331f1b14545770c1766fc0ee/lido-fiv/contracts/LidoVault.sol#L880C3-L896C4
Tool used
Manual Review
Recommendation
Use updated values for
fixedETHDepositsto calculate total earnings.