RangeManager.initRange, the owner mints tokens upon initialization to avoid the first deposit attack. The input token ratio may not be perfect or a malicious attacker can manipulate the pool tokens ratio in advance, resulting in a certain amount of unused tokens.
These tokens will not be refunded but remain within the contract and may be extracted by attackers through cleanup function.
Mitigation
uint256 asset0_amt = ASSET_0.balanceOf(address(this));
uint256 asset1_amt = ASSET_1.balanceOf(address(this));
if (asset0_amt > 0) ASSET_0.safeTransfer(msg.sender, asset0_amt);
if (asset1_amt > 0) ASSET_1.safeTransfer(msg.sender, asset1_amt);
Lines of code
Vulnerability details
Comments
RangeManager.initRange, the owner mints tokens upon initialization to avoid the first deposit attack. The input token ratio may not be perfect or a malicious attacker can manipulate the pool tokens ratio in advance, resulting in a certain amount of unused tokens. These tokens will not be refunded but remain within the contract and may be extracted by attackers through cleanup function.
Mitigation
Add corresponding logic to return excess tokens
Conclusion
LGTM