Fixed users can't withdraw funds after calling claimFixedPremium upfront
Summary
Fixed depositors will have their claim tokens set to zero after claiming their premium, which will cause a revert on their withdrawals.
Root Cause
In vault.sol, the logic of setting fixedClaimToken[msg.sender] to zero during the claimFixedPremium function prevents fixed depositors from withdrawing their funds afterward.
Firstly in the deposit function, fixed depositor gets minted claim tokens. L359
// Mint claim tokens
fixedClaimToken[msg.sender] += shares;
Secondly in the claimFixedPremium function, fixed depositor burns his claim tokens for upfront premium. User got minted bearer tokens and his claimToken balance is set to 0.
As third and last, fixed depositor tries to withdraw funds. However, a claimToken balance check in below withdraw function prevents him to withdraw his funds.
if (side == FIXED) {
require(fixedToVaultNotStartedWithdrawalRequestIds[msg.sender].length == 0, "WAR");
// need to have claim tokens
uint256 claimBalance = fixedClaimToken[msg.sender];
//uint256 claimBalance = fixedClaimToken.balanceOf(msg.sender);
require(claimBalance > 0, "NCT"); //@audit claimBalance is already set to 0 when claiming the premium, this call will revert
Internal pre-conditions
A fixed depositor needs to have a non zero balance of fixedClaimToken to call claimFixedPremium. --> After depositing that check will pass
The fixed depositor then will call claimFixedPremium to have his premium upfront, sourced by variable users.
When claimed, claimTokens will be burned and user balance will be set to 0.
The fixed depositor then will try to withdraw his funds. However, withdraw function checks if user claimToken balance is bigger than 0.
Since it has been set to 0 in claimFixedPremium, withdraw call will revert for fixed user.
Motomoto
High
Fixed users can't withdraw funds after calling claimFixedPremium upfront
Summary
Fixed depositors will have their claim tokens set to zero after claiming their premium, which will cause a revert on their withdrawals.
Root Cause
In vault.sol, the logic of setting fixedClaimToken[msg.sender] to zero during the
claimFixedPremiumfunction prevents fixed depositors from withdrawing their funds afterward.depositfunction, fixed depositor gets minted claim tokens. L359claimFixedPremiumfunction, fixed depositor burns his claim tokens for upfront premium. User got minted bearer tokens and his claimToken balance is set to 0.As third and last, fixed depositor tries to withdraw funds. However, a claimToken balance check in below
withdrawfunction prevents him to withdraw his funds.Internal pre-conditions
External pre-conditions
none
Attack Path
There is no attack. I identified the flow above.
Impact
Fixed user funds are stuck, unable to withdraw.
PoC
https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L358-L360 https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L412-L414 https://github.com/sherlock-audit/2024-08-saffron-finance/blob/main/lido-fiv/contracts/LidoVault.sol#L428-L434
Mitigation
No response