Division before multiplication still exists?

We're all familiar with the popular Solidity vulnerability called "division before multiplication". Most auditors will be able to detect it in a protocol code. However, the same vulnerability can occur in a new way. Take a look at the next code snippet:

function _getAvailable(uint256 _tokenId) private view returns (uint256) {
    return getShares[_tokenId] * _getWithdrawablePerShare() - getWithdrawn[_tokenId]; 
}

function _getWithdrawablePerShare() private view returns (uint256) {
    return (_totalWithdrawn + _asset.balanceOf(address(this))) / getTotalShares;
}

In the _getAvailable() function, the calculation performs division before multiplication, which could result in precision loss. The consequence is that users may not be able to withdraw the amount they should receive, leaving some funds locked in the WithdrawalQueue.

The recommendation is so simple: Change the order of calculation to multiply before division.

Read the full report here:

Link: https://code4rena.com/reports/2024-04-gondi#h-02-division-before-multiplication-could-lead-to-users-losing-50-in-withdrawalqueue