Steadefi

Summary

Since depositCache.user cannot be changed, some vault functionality may not work as expected or could cause the vault to malfunction.

Vulnerability Details

The depositCache.user is set in deposit as the sender and cannot be changed until a new deposit is initiated.

If a user becomes blacklisted by the deposit token used in the deposit and the deposit is cancelled then processDepositCancellation will revert and the cancelled deposit cannot be processed properly.

Also, if the processDeposit fails and sets status to Deposit_Failed then the processDepositFailure function may be called by the keeper. processDepositFailure might malfunction if the current lp amount is less than the previous lp amount because the processDepositFailureLiquidityWithdrawal is then called which would revert due to transfer to the blacklisted user (if tokenA/B has the blacklisting functionality and user is blacklisted by these tokens). The status cannot be changed and the vault is stuck until processDepositFailure can function properly.

Impact

Cancelled deposits may not be processed correctly and may lead to user not receiving their deposit token and failed deposits might prevent the vault from functioning properly for some time.

Tools Used

Manual

Recommendations

Consider allowing the depositCache.user to be changed or putting token transfers in try/catch blocks and adding claiming functionality for users so that token transfers do not break functionality.