Users unable to remove liquidity from disabled pools

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/pool.rs#L92

Vulnerability details

The AMM contract contains a function updatePositionC7F1F740 which allows users to add or remove liquidity from a position. However, there is a flaw in the logic that prevents users from removing their liquidity if the pool has been disabled. This function will call internally update_position_internal which in turn will call the following function self.pools.setter(pool).update_position(id, delta)?; in the pool.rs contract. The update_position function checks if the pool is enabled before allowing any updates. The issue arises because this check is applied uniformly, regardless of whether the user is adding liquidity (delta > 0) or removing liquidity (delta < 0).

Impact

Users are unable to withdraw their funds from disabled pools, effectively locking their assets indefinitely.

Proof of Concept

1. Alice adds liquidity to a pool.
2. The pool is later disabled by the admin for some reason.
3. Alice tries to remove her liquidity by calling updatePositionC7F1F740() with a negative delta.
4. The transaction reverts because the pool is disabled, preventing Alice from accessing her funds.

Tools Used

Manual review

Recommended Mitigation Steps

Modify the logic to allow liquidity removal even when the pool is disabled.

Assessed type

Other

[c4-judge]

alex-ppg marked the issue as satisfactory