search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

Reputation risk for not being able to rescue unnacounted transfer to pool #186

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

LiquidityPool.withdrawAll#L126

Vulnerability details

Impact

Transfering funds to an address can be extremely easy. If an user is distracted or unaware he could easily forget to make use of designated deposit functions.

Having no way to recover funds that users have transfered directly to the pool (without using designated deposit functions) might cause reputation damage if large sum is accidentally transfered and cannot be recovered (without having to use withdrawAll). User might feel cheated and perceive protocol as dishonest.

Proof of Concept

User simply uses transfer function to send funds to pool and his contribution is not accounted for.

Tools Used

Recommended Mitigation Steps

Insert a withdraw function that allows withdrawing specific amounts to quickly resolve such events.

chase-manning commented 2 years ago

We will not be adding support for this. Disagree that it is a vulnerability.