Insufficient Fixed-Side Capacity in Vault Creation Can Lead to Unusable Vaults

Details

The VaultFactory contract's createVault function deploys a new LidoVault contract and initializes it with parameters like _fixedSideCapacity, _duration, and _variableSideCapacity.

Currently, the createVault function lacks a check to ensure that the _fixedSideCapacity parameter is sufficiently large to accommodate the minimum fixed deposit requirement defined by minimumFixedDepositBps in the LidoVault contract.

Code Snippets

https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/VaultFactory.sol#L107

function createVault(
    uint256 _fixedSideCapacity,
    uint256 _duration,
    uint256 _variableSideCapacity
) public virtual {
    // ... Existing code ...

    // Initialize vault
    ILidoVault(vaultAddress).initialize(params);

    // ... Existing code ...
}

https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L65

uint256 public immutable minimumFixedDepositBps = 500; // default 5%
// ... other code ...
require(params.fixedSideCapacity.mulDiv(minimumFixedDepositBps, 10_000) >= minimumDepositAmount, "IFC");

Impact

This omission can lead to the deployment of vaults where it's practically impossible for fixed-side depositors to participate due to an excessively high minimum deposit requirement. Specifically, if the _fixedSideCapacity is set too low, the calculated minimumFixedDeposit might exceed the _fixedSideCapacity, making it impossible to fulfill.

Scenario

The minimumDepositAmount in LidoVault is set to 0.01 ETH.
A user calls createVault() with _fixedSideCapacity set to 0.1 ETH (which is lower than minimumFixedDepositBps (5%) of _fixedSideCapacity)
The vault is deployed, but fixed-side deposits are impossible because the minimum required deposit (5% of 0.1 ETH = 0.005 ETH) is less than the global minimum deposit amount (0.01 ETH).

Fix

Introduce a check in the createVault function within VaultFactory.sol to enforce that the _fixedSideCapacity is greater than or equal to the calculated minimum fixed deposit amount.

function createVault(
    uint256 _fixedSideCapacity,
    uint256 _duration,
    uint256 _variableSideCapacity
) public virtual {
    // ... Existing code ...

    // Calculate minimumFixedDeposit
    uint256 minimumFixedDeposit = _fixedSideCapacity.mulDiv(minimumFixedDepositBps, 10_000);

    // Ensure _fixedSideCapacity is sufficient
    require(_fixedSideCapacity >= minimumFixedDeposit, "FSC");

    // Initialize vault
    ILidoVault(vaultAddress).initialize(params);

    // ... Existing code ...
}

sherlock-audit / 2024-08-saffron-finance-judging

0xloophole - Insufficient Fixed-Side Capacity in Vault Creation Can Lead to Unusable Vaults #143

Insufficient Fixed-Side Capacity in Vault Creation Can Lead to Unusable Vaults

Details

Code Snippets

Impact

Scenario

Fix