The Pool.removeLiquiditySingle function redeems liquidity tokens for underlying to the router contract.
If toBase == true, it then tries to convert these to base tokens.
However, only the swapped token -> BASE amount is sent to the user, the redeemed part is still in the router and can be stolen by any other user.
Recommended Mitigation Steps
Send the entire BASE amount of the router to the member instead of only the swapped amount.
SamusElderg
commented
3 years ago
Handle
cmichel
Vulnerability details
Vulnerability Details
The
Pool.removeLiquiditySinglefunction redeems liquidity tokens for underlying to the router contract. IftoBase == true, it then tries to convert these to base tokens. However, only the swapped token -> BASE amount is sent to the user, the redeemed part is still in the router and can be stolen by any other user.Recommended Mitigation Steps
Send the entire
BASEamount of the router to thememberinstead of only the swapped amount.