There’s a logic mismatch between _allocate and _deallocate. _allocate unwrapps the full WETH amount but only deposits a down-rounded portion (leaving tiny native-ETH “dust” in the strategy). _deallocate only wraps the newly redeemed ETH before checking WETH balance. If redeem returns even 1 wei less than requested (or rounding/dust exists), the final require(TokenUtils.safeBalanceOf(address(weth), address(this)) >= amount, "...") fails and the deallocation reverts — even though the contract’s total native ETH (dust + redeemed) covers the requested amount. That revert can permanently block withdrawals until the contract is patched or upgraded.
Vulnerability Details
Core problematic code (condensed):
// vulnerable allocate
weth.withdraw(amount); // unwrap full amount to native ETH
uint256 amountToDeposit = (amount / 1e12) * 1e12; // round down
uint256 dust = amount - amountToDeposit; // left as native ETH
pool.deposit{value: amountToDeposit}(address(this), amountToDeposit);
return amount; // claims whole amount deposited
Because only ethRedeemed is wrapped (dust remains native ETH), the WETH balance can be smaller than amount while ethRedeemed + dust >= amount. The require then reverts and the whole withdraw fails.
Impact Details
Impact: Permanent freezing of funds (critical liveness failure).
How: A normal withdrawal can fail and revert if redemption produces a tiny shortfall (1 wei) or due to the rounding/dust left during allocation. Once in this state, withdrawals will keep reverting and funds are effectively locked until a contract change (upgrade/patch) is applied.
Who is affected: Vault/strategy depositors and withdrawers. Not merely admin-only — ordinary users attempting withdrawals will be blocked.
Severity: Critical / High (funds inaccessible until fix).
