Under specific conditions, user deposits will always revert.
Vulnerability Details
When a user deposits funds through RestakeManager, the function checks the withdraw buffer and fill it if it is below the buffer target determined by bufferToFill.
If it needs to be filled, line RestakeManager#L547 checks whether the transferred _amount is less than or equal to bufferToFill.
bufferToFill = (_amount <= bufferToFill) ? _amount : bufferToFill;
The case where _amount is equal to bufferToFill is incorrectly handled as after subtraction the _amount value will be 0 RestakeManager#L549.
_amount -= bufferToFill;That leads to a revert during operatorDelegator.deposit line RestakeManager#L562, as it will not be able to pass the requirement for tokenAmount in OperatorDelegator#L147
if (address(tokenStrategyMapping[token]) == address(0x0) || tokenAmount == 0)Impact
MEDIUM – Under specific conditions, user deposits will always revert.
Recommendation
Handle separately the case in which the entire _amount goes towards filling the bufferToFill (_amount == bufferToFill).
If the amount equals 0 after paying bufferToFill, do not try to deposit it to operatorDelegator, allocate the appropriate amount of tokens to the user.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
