Transfering funds to an address can be extremely easy. If an user is distracted or unaware he could easily forget to make use of designated deposit functions.
Having no way to recover funds that users have transfered directly to the pool (without using designated deposit functions) might cause reputation damage if large sum is accidentally transfered and cannot be recovered (without having to use withdrawAll). User might feel cheated and perceive protocol as dishonest.
Proof of Concept
User simply uses transfer function to send funds to pool and his contribution is not accounted for.
Tools Used
Recommended Mitigation Steps
Insert a withdraw function that allows withdrawing specific amounts to quickly resolve such events.
Lines of code
LiquidityPool.withdrawAll#L126
Vulnerability details
Impact
Transfering funds to an address can be extremely easy. If an user is distracted or unaware he could easily forget to make use of designated deposit functions.
Having no way to recover funds that users have transfered directly to the pool (without using designated deposit functions) might cause reputation damage if large sum is accidentally transfered and cannot be recovered (without having to use
withdrawAll
). User might feel cheated and perceive protocol as dishonest.Proof of Concept
User simply uses
transfer
function to send funds to pool and his contribution is not accounted for.Tools Used
Recommended Mitigation Steps
Insert a withdraw function that allows withdrawing specific amounts to quickly resolve such events.