M-09 MitigationConfirmed

[c4-bot-3]

Lines of code

Vulnerability details

C4 Issue

M-09: Inconsistent accounting of undeployedAssets might result in undesired optimal range in the pool

Comments

Original vulnerabiliteis/impacts: In pool.sol, fees(getCollectedFees) are inconsistently accounted in undeployedAssets valuation. As the fees is set aside for the pool owner, it shouldn’t be counted towards undeployedAssets to be withdrawn by users.

The original implementation only correctly subtracted fees from undeployedAssets in _getUndeployedAssets(). In other flows such as validateOffer, _reallocate, getCollectedFees is not subtracted from currentBalance and will be mistakenly included as transferrable assets, or affect the optimal range.

Mitigation

Fix: https://github.com/pixeldaogg/florida-contracts/pull/375/files

//src/lib/pools/Pool.sol
    function validateOffer(bytes calldata _offer, uint256 _protocolFee) external override onlyAcceptedCallers {
...
        uint256 currentBalance = asset.balanceOf(address(this)) - getAvailableToWithdraw - getCollectedFees;
...

    function _reallocate() private returns (uint256, uint256) {
...
        uint256 currentBalance = asset.balanceOf(address(this)) - getAvailableToWithdraw - getCollectedFees;
...

    function _reallocateOnWithdrawal(uint256 _withdrawn) private {
...
        uint256 currentBalance = asset.balanceOf(address(this)) - getCollectedFees;

The mitigation is to factor in getCollectedFees in the undeployed asset calculation in various flows. In validateOffer(),_reallocate() and _reallocateOnWithdrawal(), getCollectedFees is now subtracted from currentBalance. This correctly factors in fees when accounting for the withdrawable amount or targetIdle calculations.

The mitigation resolves the issue.

Conclusion

LGTM

[c4-judge]

alex-ppg marked the issue as satisfactory

[c4-judge]

alex-ppg marked the issue as confirmed for report