search

code-423n4 / 2024-01-salty-findings

5 stars 3 forks source link

The liquidity provider can fail to withdraw his liquidity if he gets blacklisted #958

Closed c4-bot-9 closed 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/Liquidity.sol#L131-L132

Vulnerability details

When a liquidity provider wants to withdraw his liquidity, the reclaimed tokens are transferred to the msg.sender.

https://github.com/code-423n4/2024-01-salty/blob/53516c2cdfdfacb662cdea6417c52f23c94d5b5b/src/staking/Liquidity.sol#L131-L132

tokenA.safeTransfer( msg.sender, reclaimedA );
tokenB.safeTransfer( msg.sender, reclaimedB );

The liquidity provider isnt able to specify on what address he wants to receive the tokens so this can be a problem if he gets for example blacklisted while having the tokens in the pools. The transaction will then revert and liquidity providers can fail to withdraw their assets that they deposited.

Impact

The LP will not be able to specify where he wants to receive his tokens so if he gets blacklisted then he will not be able to withdraw liquidity because the transfer would revert.

Proof of Concept

tokenA.safeTransfer( msg.sender, reclaimedA );
tokenB.safeTransfer( msg.sender, reclaimedB );

As you can see in _withdrawLiquidityAndClaim(), the reclaimed tokens are transferred to the msg.sender and there is no way to specify an address where to receive tokens

Tools Used

Manual Review

Recommended Mitigation Steps

Allow the LP to specify an address where they want to receive their reclaimed assets.

Assessed type

Token-Transfer

c4-judge commented 5 months ago

Picodes marked the issue as unsatisfactory: Overinflated severity