Add liquidity before phase 3 can force the launch event to stop

[code423n4]

Handle

WatchPug

Vulnerability details

https://github.com/code-423n4/2022-01-trader-joe/blob/119e12d715ececc31478e833297f124cc15d27c2/contracts/LaunchEvent.sol#L376-L388

function createPair() external isStopped(false) atPhase(Phase.PhaseThree) {
    (address wavaxAddress, address tokenAddress) = (
        address(WAVAX),
        address(token)
    );
    require(
        factory.getPair(wavaxAddress, tokenAddress) == address(0) ||
            IJoePair(
                IJoeFactory(factory).getPair(wavaxAddress, tokenAddress)
            ).totalSupply() ==
            0,
        "LaunchEvent: liquid pair already exists"
    );

createPair() is supposed to be called after phase 3 has started to finalize the launch event and all users can withdrawLiquidity() after this.

However, since createPair() requires the wavaxAddress, tokenAddress pair not existing or the totalSupply == 0, if someone (can be an attacker, a malicious user, or just a regular user) add liquidity to the pair during phase 1 and 2, or phase 3 before createPair() is called, it will make the launch event can not be finalized, therefore, forcing the event to be canceled and put into emergencyWithdraw mode.

Recommendation

Consider allowing createPair() when the pair is at a certain price range, so that even in the case above, the launch event can still be finalized, by combining a swap tx to correct the price to the target range with the createPair() tx.

[cryptofish7]

Fixed with low level mint https://github.com/traderjoe-xyz/rocket-joe/pull/81/files

[dmvt]

duplicate of #197