The withdrawSingleByLiquidity function of LifeGuard3Pool calls buoy.singleStableToUsd to calculate the return USD amount, which internally calls _stableToUsd with the deposit parameter set to true. A more accurate calculation is to set the deposit parameter to false since this action is a withdrawal. A similar issue exists in the function calcProtocolWithdraw of Allocation, where the current strategy's USD is calculated by buoy.singleStableToUsd.
Consider adding a new boolean parameter, deposit, to the singleStableToUsd function of Buoy3Pool to indicate whether the action is a deposit or not, as that in the stableToUsd and stableToLp functions.
Handle
shw
Vulnerability details
Impact
The
withdrawSingleByLiquidityfunction ofLifeGuard3Poolcallsbuoy.singleStableToUsdto calculate the return USD amount, which internally calls_stableToUsdwith thedepositparameter set totrue. A more accurate calculation is to set thedepositparameter tofalsesince this action is a withdrawal. A similar issue exists in the functioncalcProtocolWithdrawofAllocation, where the current strategy's USD is calculated bybuoy.singleStableToUsd.Proof of Concept
Referenced code: LifeGuard3Pool.sol#L226 Buoy3Pool.sol#L122 Allocation.sol#L142
Recommended Mitigation Steps
Consider adding a new boolean parameter,
deposit, to thesingleStableToUsdfunction ofBuoy3Poolto indicate whether the action is a deposit or not, as that in thestableToUsdandstableToLpfunctions.