The AMM contract contains a function updatePositionC7F1F740 which allows users to add or remove liquidity from a position. However, there is a flaw in the logic that prevents users from removing their liquidity if the pool has been disabled. This function will call internally update_position_internal which in turn will call the following function self.pools.setter(pool).update_position(id, delta)?; in the pool.rs contract. The update_position function checks if the pool is enabled before allowing any updates. The issue arises because this check is applied uniformly, regardless of whether the user is adding liquidity (delta > 0) or removing liquidity (delta < 0).
Impact
Users are unable to withdraw their funds from disabled pools, effectively locking their assets indefinitely.
Proof of Concept
Alice adds liquidity to a pool.
The pool is later disabled by the admin for some reason.
Alice tries to remove her liquidity by calling updatePositionC7F1F740() with a negative delta.
The transaction reverts because the pool is disabled, preventing Alice from accessing her funds.
Tools Used
Manual review
Recommended Mitigation Steps
Modify the logic to allow liquidity removal even when the pool is disabled.
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/seawater/src/pool.rs#L92
Vulnerability details
The AMM contract contains a function
updatePositionC7F1F740
which allows users to add or remove liquidity from a position. However, there is a flaw in the logic that prevents users from removing their liquidity if the pool has been disabled. This function will call internallyupdate_position_internal
which in turn will call the following functionself.pools.setter(pool).update_position(id, delta)?;
in thepool.rs
contract. Theupdate_position
function checks if the pool is enabled before allowing any updates. The issue arises because this check is applied uniformly, regardless of whether the user is adding liquidity (delta > 0
) or removing liquidity (delta < 0
).Impact
Users are unable to withdraw their funds from disabled pools, effectively locking their assets indefinitely.
Proof of Concept
updatePositionC7F1F740()
with a negativedelta
.Tools Used
Manual review
Recommended Mitigation Steps
Modify the logic to allow liquidity removal even when the pool is disabled.
Assessed type
Other