HollaDieWaldfee - Remaining funds cannot be refunded after partial refund

[github-actions]

HollaDieWaldfee

high

Remaining funds cannot be refunded after partial refund

Summary

Deposits to bounties can be refunded via the DepositManagerV1.refundDeposit function.

The amount to be refunded is capped at the availableFunds amount:

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L171-L179

And refunding can occur only once. This is since BountyCore.refundDeposit checks that the depositId has not already been refunded:

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/Bounty/Implementations/BountyCore.sol#L69

Vulnerability Detail

Think of the following situation:
Funder A has deposited 500 USDC.
Funder A wants to refund his deposits but only 200 USDC are available so he receives only 200 USDC.

Now he is unable to refund the remaining 300 USDC which he loses.

Also if this amount is not claimed it is stuck in the contract.

It should be possible for a funder to refund the remaining funds after a partial refund once the remaining funds become available.

Impact

Funders lose remaining funds after a partial refund and funds can get stuck in the bounty contract.

Code Snippet

https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/DepositManager/Implementations/DepositManagerV1.sol#L152-L195

Tool used

Manual Review

Recommendation

It should be possible for a funder to refund the remaining funds after a partial refund once the remaining funds become available.

Duplicate of #257