[Security] WBERAStakerVault: cancelQueuedWithdrawal re-mints shares at current rate, creating free option

[sailorpepe]

Summary

When a user cancels a queued withdrawal via cancelQueuedWithdrawal, the function re-mints shares using previewDeposit(request.assets) at the current exchange rate rather than restoring the original number of shares that were burned.

Issue

If the share price changed during the cooldown period (due to receiveRewards donations or other activity), the user receives a different number of shares than originally burned:

• If price decreased: user gets more shares → profit at other stakers' expense
• If price increased: user gets fewer shares → loss for the canceller

This creates a free option for the canceller — they can monitor the price and only cancel when it's profitable.

Affected Code

WBERAStakerVault.sol#L248-L258:

uint256 assets = request.assets;
uint256 maxAssets = maxDeposit(msg.sender);
if (assets > maxAssets) {
    revert ERC4626ExceededMaxDeposit(msg.sender, assets, maxAssets);
}
uint256 newSharesToMint = previewDeposit(assets); // ← uses current rate

reservedAssets -= assets;
_mint(msg.sender, newSharesToMint);

Recommended Fix

Re-mint the original number of shares that were burned at queue time:

- uint256 newSharesToMint = previewDeposit(assets);
+ uint256 newSharesToMint = request.shares;

This preserves the user's original position and prevents any exchange rate arbitrage.

Severity

Low — Requires price movement during cooldown period and the attacker bears token risk during the wait.

[sailorpepe]

⚠️ Correction — This is by design, not a bug

After further analysis, the current behavior of using previewDeposit(assets) is actually correct and fair.

Why request.shares would be wrong

When a withdrawal is queued, the assets are added to reservedAssets. Since totalAssets() = WBERA.balanceOf(this) - reservedAssets, the queued assets are excluded from yield calculations — they don't earn rewards during the cooldown.

If we restored the original request.shares, the canceller would receive credit for yield they didn't earn during the cooldown period, at the expense of active stakers. Using previewDeposit(assets) correctly prices their re-entry at the current rate.

What remains valid

The "free option" concern is still theoretically valid — a user could queue a withdrawal, observe the price, and cancel if the price dropped (getting more shares). However, since their assets don't earn yield while reserved, the optionality is limited to external price movements, not vault yield. This is likely an acceptable design tradeoff given the 7-day cooldown.

Revised severity: Informational / By Design. Apologies for the incorrect initial classification.