Summary

If the depositTokenContractBalance_ is less than the amount the user wants to withdraw, the user won't be able to withdraw all of his amount at certain contidion.

Vulnerability Details

There is a check if the amount_ the user wants to withdraw is more than the depositTokenContractBalance_ which is a valid condition on a negative rebasing. If that check pass, the amount_ is set to be equal to the depositTokenContractBalance_ which can make the user not being able to withdraw all of his amount.

Let's consider the following values:
userData.deposited = 14
amount_ = 14
depositTokenContractBalance_ = 10
'pool.minimalStake = 5'

The user wants to withdraw all of his stake which is 14, however, the depositTokenContractBalance_ does not have 14 but 10, and the user amount needs to be set to 10. But the problem arises since there is a minimalStake which is 5.

newDeposited would be 14 - 10 = 4, and the require check would not pass since the minimalStake is 5 and it leaves only 4. That would make the user not being able to withdraw all of his amount. The only way this require can pass is if the user withdraws 9 tokens but that way, there will be stuck 1 token that the user should be able to withdraw but can't.

Impact

Although the user suffered losses from the negative rebasing and would not be able to withdraw all of his staked amount, that check would make the user leave one more token(that he should be able to withdraw)

Tools Used

Manual Review

Recommendations

A possible solution would be to reduce the amount staked by the user in proportion to the negative rebasing losses rather than setting the amount to depositTokenContractBalance_ if there is not enough tokens.