Description

There is an inconsistency in the implementation of the MitosisVault contract. In the current code, the _deposit function deducts from availableCap, but the withdraw function does not perform any operations with availableCap.

See the _deposit function in the MitosisVault contract: L217↗

function _deposit(address asset, address to, uint256 amount) internal override(MitosisVaultMatrix, MitosisVaultEOL) {
    StorageV1 storage $ = _getStorageV1();
    require(to != address(0), StdError.ZeroAddress('to'));
    require(amount != 0, StdError.ZeroAmount());

    _assertAssetInitialized(asset);
    _assertNotHalted($, asset, AssetAction.Deposit);
    _assertCapNotExceeded($, asset, amount);

    $.assets[asset].availableCap -= amount;
    IERC20(asset).safeTransferFrom(_msgSender(), address(this), amount);
}

This function deducts the amount from availableCap when depositing.

In contrast, see the withdraw function: L118-L127↗

function withdraw(address asset, address to, uint256 amount) external whenNotPaused {
    StorageV1 storage $ = _getStorageV1();

    _assertOnlyEntrypoint($);
    _assertAssetInitialized(asset);

    IERC20(asset).safeTransfer(to, amount);

    emit Withdrawn(asset, to, amount);
}

This function does not perform any operations with availableCap when withdrawing. This is not the intended behavior, and the withdraw function should also affect the availableCap state.

Impact

This inconsistency can lead to inaccurate management of the vault's availableCap state. Since availableCap decreases every time a user deposits funds but does not increase when they withdraw, over time, availableCap will continuously decrease.

Recommendations

The withdraw function should be modified to properly update availableCap.

Remediation

This issue has been acknowledged by Mitosis, and a fix was implemented in commit d0c850d2↗.