In Pool.sol, the lockup restriction of withdrawal can be bypassed or reduced if new liquidity providers cooperate with existing ones.
Proof of Concept
A liquidity provider Alice deposits liquidity assets into the pool and gained some FDTs. She then waits for lockupPeriod days and calls intendToWithdraw to pass her withdrawal window. Now she is available to withdraw her funds and also allowed to receive FDTs.
A new liquidity provider Bob deposits liquidity assets into the pool and gained some FDTs. Currently, he is not allowed to withdraw his funds by the design of protocol.
Bob and Alice agree to cooperate with each other. Bob transfers his FDT to Alice via the _transfer function.
Alice then withdraws the amount of FDT from Bob. Since the depositDate is calculated using a weighted timestamp, the period of locking is decreased. In cases when the deposit Alice is much larger than Bob, Bob only needs to wait for the withdrawCooldown period before he could withdraw his funds.
lucas-manuel
commented
3 years ago
Handle
shw
Vulnerability details
Impact
In
Pool.sol, the lockup restriction of withdrawal can be bypassed or reduced if new liquidity providers cooperate with existing ones.Proof of Concept
lockupPerioddays and callsintendToWithdrawto pass her withdrawal window. Now she is available to withdraw her funds and also allowed to receive FDTs._transferfunction.depositDateis calculated using a weighted timestamp, the period of locking is decreased. In cases when the deposit Alice is much larger than Bob, Bob only needs to wait for thewithdrawCooldownperiod before he could withdraw his funds.Tools Used
None
Recommended Mitigation Steps
Recalculate
depositDateevery tranfer occurs.