search

code-423n4 / 2024-01-salty-findings

11 stars 6 forks source link

User can add liquidity with tokens' amount less than DUST #658

Closed c4-bot-8 closed 8 months ago

c4-bot-8 commented 9 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/pools/Pools.sol#L140-L165

Vulnerability details

Impact

User can add liquidity with tokens' amount less than DUST

Proof of Concept

Follow author's expectation, when users try to add liquidity, we need to make sure that tokens' amount should be not less than DUST. We add some input check by 

        require( maxAmountA > PoolUtils.DUST, "The amount of tokenA to add is too small" );
        require( maxAmountB > PoolUtils.DUST, "The amount of tokenB to add is too small" );

However, the actual amounts transferred in pool is addedAmountA/addedAmountB. We should add another check to make sure both addedAmountA/addedAmountB are not less than DUST.

Tools Used

Manual

Recommended Mitigation Steps

N/A

Assessed type

Invalid Validation

c4-judge commented 9 months ago

Picodes changed the severity to QA (Quality Assurance)