FadoBagi - FadoBagi - Lack of Input Validation on Deposited Amounts

[sherlock-admin4]

FadoBagi

High

FadoBagi - Lack of Input Validation on Deposited Amounts

FadoBagi

High

Lack of Input Validation on Deposited Amounts

Summary

The LidoVault contract does not impose an upper limit on the amount a single user can deposit into either the fixed or variable sides. While it ensures that deposits do not exceed the remaining capacity, the absence of a per-user deposit cap allows a single user to dominate a side, restricting participation from others and centralizing risk and rewards.

Vulnerability Detail

In the deposit function, the contract verifies that the deposited amount does not exceed the remaining capacity but does not enforce a maximum deposit per user:

function deposit(uint256 side) external payable {
    // ...
    require(msg.value >= minimumDepositAmount, "MDA");
    // ...
}

The contract only checks that the deposit amount does not surpass the remaining capacity of the fixed or variable side. But a single user can deposit a disproportionately large amount, potentially filling the entire capacity of one side.

Without a per-user deposit cap, a user can contribute significantly more than others. This limits participation from other users, centralizes risk and rewards.

Impact

A single user dominating a deposit side can lead to centralized risk and restricts other users from participating.

Code Snippet

Deposit Capacity Checks: https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L328-L333

Tool used

Manual Review

Recommendation

Implement a maximum deposit limit per user to prevent any single address from dominating the fixed or variable sides. A maxDepositPerUser variable could be used and enforced within the deposit function.