`lib.add_liquidity` should returns dust token

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0xdd58e018f662ddffafd4671d664ac3777a65d43a1a96e3c4a2e14d6bc9c058d0 Severity: medium

Description: Description\ In lib.add_liquidity, the function first calculate the token share in lib.rs#L599-L606, and then transfer token from caller to the contract in lib.rs#L615-L622

 614             // transfer amounts
 615             for (id, &token) in self.pool.tokens.iter().enumerate() {
 616                 self.token_by_address(token).transfer_from(
 617                     self.env().caller(),
 618                     self.env().account_id(),
 619                     amounts[id], <<<--- Here the user's input is used directly
 620                     vec![],
 621                 )?;
 622             }

In lib.rs#L619, the amounts[id] is used directly.

The issue is that there might be some dust left after calling the function

Attack Scenario\ Please consider a case:

1. tokenA:tokenB = 100:110, user submit a tx to add_liquidity with 100 amount of tokenA, and 110 amount of tokenB
2. then update_rate is called, tokenA:tokenB = 100:100
3. then user's tx is executed, there will be 10 amount tokenB supposed return to user

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[JanKuczma]

Thank you for your submission.

add_liquidity allows adding liquidity in imbalanced amounts. In this case, the user would receive an appropriate amount of LP tokens based on amounts of tokens.