You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pool allows users to burn lp tokens without withdrawing the tokens. This allows the hacker to mutate the pools' rate to a point that no one can get any lp token anymore (even if depositing token).
The liquidity tokens are calculated at Utils:calcLiquidityUnits
where P stands for totalSupply of current Pool. If P is too small (e.g, 1) then all the units would be rounding to 0.
Since any person can create a Pool at PoolFactory, hackers can create a Pool and burn his lp and set totalSupply to 1. He will be the only person who owns the Pool's lp from now on.
We agree to this issue and will restrict access to burn in the pool contract.
We have already proposed adding a 1 week withdraw coolOff for all users per pool from the genesis of creation. Users can only add liquidity within this period.
Handle
jonah1005
Vulnerability details
Impact
Pool
allows users to burn lp tokens without withdrawing the tokens. This allows the hacker to mutate the pools' rate to a point that no one can get any lp token anymore (even if depositing token).The liquidity tokens are calculated at
Utils:calcLiquidityUnits
where
P
stands fortotalSupply
of current Pool. IfP
is too small (e.g, 1) then all the units would be rounding to 0.Since any person can create a
Pool
atPoolFactory
, hackers can create a Pool and burn his lp and settotalSupply
to 1. He will be the only person who owns the Pool's lp from now on.Proof of Concept
Pool's burn logic:
https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Pool.sol#L146
Utils' lp token formula:
https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Utils.sol#L80
Here's a script of a user depositing 1M token to a pool where
totalSupply
equals 1Output:
Tools Used
None
Recommended Mitigation Steps
Remove
burn
or restrict it to privileged users only.The text was updated successfully, but these errors were encountered: