The current getTVL only calculates the token value of TokenisableRange, ignoring the value of token0 and token1, which leads to two problems:
The users who deposit tokens and increaseLiquidity with imperfect proportions will suffer losses. The getTVL is underestimated and excess token0 and token1 are stuck in the GeVault contract, cannot be withdraw.
When isEnabled is false, withdraw will removeFromAllTicks but will not deployAssets, which causes getTVL to be 0 (because token0 and token1's value are not calculated), causing other users except the first user to be unable to withdraw.
The first PR fixed the problem, and the second PR introduced a bug, which is different from the root cause of the original issue, so I submitted it as a new issue.
Lines of code
Vulnerability details
Comments
The current getTVL only calculates the token value of TokenisableRange, ignoring the value of token0 and token1, which leads to two problems:
removeFromAllTicks
but will notdeployAssets
, which causes getTVL to be 0 (because token0 and token1's value are not calculated), causing other users except the first user to be unable to withdraw.Mitigation
The above-mentioned problems can be perfectly solved by calculating the values of token0 and token1 in getTVL:
removeFromAllTicks
only occur at first time, and then withdraw will directly allocate token0 and token1 in value.In addition, getTVL was reconstructed through two PRs:
The first PR fixed the problem, and the second PR introduced a bug, which is different from the root cause of the original issue, so I submitted it as a new issue.
Conclusion
LGTM