New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Liquidity providers may lose funds when adding liquidity #376
Comments
Dup #90 |
berndartmueller marked the issue as primary issue |
outdoteth marked the issue as sponsor confirmed |
Fixed in: outdoteth/caviar#2 By allowing a user to specify a |
I have to point out I think this fix is insufficient. So with the current fix, any price change within the slippage tolerance will always result in more tokens than necessary being withdrawn from the user. Consider checking the recommended fix in #90 |
berndartmueller marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2022-12-caviar/blob/0212f9dc3b6a418803dbfacda0e340e059b8aae2/src/Pair.sol#L421-L423
Vulnerability details
Impact
Liquidity providers may lose a portion of provided liquidity in either of the pair tokens. While the
minLpTokenAmount
protects from slippage when adding liquidity, it doesn't protect from providing liquidity at different K.Proof of Concept
The
Pair
contract is designed to receive liquidity from liquidity providers (Pair.sol#L63). First liquidity provider in a pool may provide arbitrary token amounts and set the initial price (Pair.sol#L425-L426), but all other liquidity providers must provide liquidity proportionally to current pool reserves (Pair.sol#L420-L423). Since a pool is made of two tokens and liquidity is provided in both tokens, there's a possibility for a discrepancy: token amounts may be provided in different proportions. When this happens, the smaller of the proportions is chosen to calculate the amount of LP tokens minted (Pair.sol#L420-L423):As a result, the difference in proportions will create an excess of tokens that won't be redeemable for the amount of LP tokens minted. The excess of tokens gets, basically, donated to the pool: it'll be shared among all liquidity providers of the pool. While the
minLpTokenAmount
argument of theadd
function (Pair.sol#L63) allows liquidity providers to set the minimal amount of LP tokens they want to receive, it doesn't allow them to minimize the disproportion of token amounts or avoid it at all.Tools Used
Manual review
Recommended Mitigation Steps
In the
add
function, consider calculating optimal token amounts based on the amounts specified by user, current pool reserves, and the minimal LP tokens amount specified by user. As a reference, consider this piece from the Uniswap V2 Router: UniswapV2Router02.sol#L45-L60.The text was updated successfully, but these errors were encountered: