Description

The depositFunds() function of the Batcher contract contains this incorrect require statement at L94:

require(
    IERC20(vaultInfo.vaultAddress).totalSupply() -
        pendingDeposit +
        pendingWithdrawal +
        amountIn <=
        vaultInfo.maxAmount,
    "MAX_LIMIT_EXCEEDED"
);

The correct require statement should contain - pendingWithdrawal + pendingDeposit instead of - pendingDeposit + pendingWithdrawal.

Impact

The incorrect require statement fails to properly enforce the "users can deposit only up to vaultInfo.maxAmount of stakeable tokens" invariant.

Recommendations

Consider changing - pendingDeposit + pendingWithdrawal to - pendingWithdrawal + pendingDeposit in the require statement.

Remediation

The issue has been mitigated and fixed accordingly in commit 0c2c815↗.