Withdraws will be bricked if the curve pool gets killed

[c4-bot-9]

Lines of code

https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/Curve2PoolAdapter.sol#L170 https://github.com/code-423n4/2023-11-shellprotocol/blob/main/src/adapters/CurveTricryptoAdapter.sol#L219

Vulnerability details

Impact

Liquidity will be locked forever since there is no interface to remove it.

Proof of Concept

Curve pools have a killed parameter that allows an admin to kill the pool, suspend all deposits, swaps, and single token withdrawals, and then only allow for taking the liquidity out. remove_liquidity_one_coin() has a killed check, which disallows the execution of this function in the case of the pool being killed.

assert not self.is_killed  # dev: is killed

This will effectively block any liquidity withdrawals through the ocean accounting system and lock all deposited liquidity since only remove_liquidity() does not get reverted upon the pool being killed.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider checking whether the pool is killed and implementing withdraw logic using remove_liquidity().

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #54

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Out of scope