The withdrawSingleByLiquidity function of LifeGuard3Pool calls buoy.singleStableToUsd to calculate the return USD amount, which internally calls _stableToUsd with the deposit parameter set to true. A more accurate calculation is to set the deposit parameter to false since this action is a withdrawal. A similar issue exists in the function calcProtocolWithdraw of Allocation, where the current strategy's USD is calculated by buoy.singleStableToUsd.
Consider adding a new boolean parameter, deposit, to the singleStableToUsd function of Buoy3Pool to indicate whether the action is a deposit or not, as that in the stableToUsd and stableToLp functions.
Handle
shw
Vulnerability details
Impact
The
withdrawSingleByLiquidity
function ofLifeGuard3Pool
callsbuoy.singleStableToUsd
to calculate the return USD amount, which internally calls_stableToUsd
with thedeposit
parameter set totrue
. A more accurate calculation is to set thedeposit
parameter tofalse
since this action is a withdrawal. A similar issue exists in the functioncalcProtocolWithdraw
ofAllocation
, where the current strategy's USD is calculated bybuoy.singleStableToUsd
.Proof of Concept
Referenced code: LifeGuard3Pool.sol#L226 Buoy3Pool.sol#L122 Allocation.sol#L142
Recommended Mitigation Steps
Consider adding a new boolean parameter,
deposit
, to thesingleStableToUsd
function ofBuoy3Pool
to indicate whether the action is a deposit or not, as that in thestableToUsd
andstableToLp
functions.