Rough Misty Hawk - `ShareManager`.`isDepositorWhitelisted` doesn't check `hasWhitelist` for `whitelistMerkleRoot_`.

[sherlock-admin4]

Rough Misty Hawk

Medium

ShareManager.isDepositorWhitelisted doesn't check hasWhitelist for whitelistMerkleRoot_.

Summary

    struct ShareManagerStorage {
        /// @notice Address of the vault associated with this ShareManager.
        address vault;
        /// @notice Bitpacked configuration flags controlling global minting, burning, transfers, whitelists and lockups.
        uint256 flags;
        /// @notice Total shares allocated to all accounts (includes pending shares).
        uint256 allocatedShares;
        /// @notice Merkle root for verifying account permissions (used for deposits if whitelist flags are active).
@>      bytes32 whitelistMerkleRoot;
        /// @notice Tracks individual account permissions, blacklist status, and lockup.
        mapping(address account => AccountInfo) accounts;
    }

ShareManager.isDepositorWhitelisted checks whitelistMerkleRoot even though $.flags.hasWhitelist() is false.

Root Cause

https://github.com/sherlock-audit/2025-07-mellow-flexible-vaults/blob/main/flexible-vaults/src/managers/ShareManager.sol#L53-L63

It checks whitelistMerkleRoot_ when $.flags.hasWhitelist() = false.

Internal Pre-conditions

.

External Pre-conditions

.

Attack Path

.

Impact

This can cause DoS because isDepositorWhitelisted checks whitelistMerkleRoot_ even though $.flags.hasWhitelist() = false.

PoC

.

Mitigation

Update code.

if ($.flags.hasWhitelist() == false)
  return true;