[WP-H2] Transferring quoteToken
to the exchange pool contract will cause future liquidity providers to lose funds
#146
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
WatchPug
Vulnerability details
In the current implementation, the amount of LP tokens to be minted when
addLiquidity()
is calculated based on the ratio between the amount of newly addedquoteToken
and the current wallet balance ofquoteToken
in theExchange
contract.However, since anyone can transfer
quoteToken
to the contract, and make the balance ofquoteToken
to be larger than_internalBalances.quoteTokenReserveQty
, existing liquidity providers can take advantage of this by donatingquoteToken
and make future liquidity providers receive fewer LP tokens than expected and lose funds.https://github.com/code-423n4/2022-01-elasticswap/blob/d107a198c0d10fbe254d69ffe5be3e40894ff078/elasticswap/src/libraries/MathLib.sol#L578-L582
PoC
Given:
Exchange
pool is new;addLiquidity()
with1e18 baseToken
and1e18 quoteToken
, recived1e18
LP token;99e18 quoteToken
to theExchange
pool contract;addLiquidity()
with1e18 baseToken
and1e18 quoteToken
;removeLiquidity()
with all the LP token in balance.Expected Results: Bob recived
1e18 baseToken
and >=1e18 quoteToken
.Actual Results: Bob recived ~
0.02e18 baseToken
and ~1e18 quoteToken
.Alice can now
removeLiquidity()
and recive ~1.98e18 baseToken
and ~100e18 quoteToken
.As a result, Bob suffers a fund loss of
0.98e18 baseToken
.Recommendation
Change to:
The text was updated successfully, but these errors were encountered: