c4-judge
commented
1 year ago JustDravee marked the issue as nullified
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago JustDravee marked the issue as nullified
Judge has assessed an item in Issue #211 as 2 risk. The relevant finding follows:
[L-4] LiquidityPool processWithdraws overwrites returnedAmount for withdrawals processed in multiple steps https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L306
https://github.com/code-423n4/2023-03-polynomial/blob/main/src/LiquidityPool.sol#L320
The returnedAmount field in the QueuedWithdraw struct is incorrectly overwritten when the withdraw is processed and available funds aren't enough to cover the withdrawal. As these cases are processed in multiple steps, the implementation should add the amounts instead of overwriting the value for returnedAmount.
if (susdToReturn > availableFunds) {
current.returnedAmount += availableFunds; uint256 tokensBurned = availableFunds.divWadUp(tokenPrice); totalQueuedWithdrawals -= tokensBurned; current.withdrawnTokens -= tokensBurned; totalFunds -= availableFunds; SUSD.safeTransfer(current.user, availableFunds);
emit ProcessWithdrawalPartially( current.id, current.user, tokensBurned, availableFunds, current.requestedTime );
return; } else { // Complete full withdrawal
current.returnedAmount += susdToReturn; totalQueuedWithdrawals -= current.withdrawnTokens; totalFunds -= susdToReturn; SUSD.safeTransfer(current.user, susdToReturn);
emit ProcessWithdrawal( current.id, current.user, current.withdrawnTokens, susdToReturn, current.requestedTime );
current.withdrawnTokens = 0; }