Open hats-bug-reporter[bot] opened 3 days ago
It is not clear at all why the following claim would be true:
Users withdrawing liquidity will receive a proportion of the admin fees they're not entitled to.
For two reasons:
btw, I think your "fix" is broken - if balances[i] = 100 and currentBalance
is 110, it will set balances[i]
to 120.
Github username: @00xWizard Twitter username: 00xWizard Submission hash (on-chain): 0x05ef4795fa3e8bbca00768ddff5d4afc40d88e24dc5dba3448686d27c124dda8 Severity: high
Description: Description
The
donate_admin_fees
function doesn't donate or transfer any fees. Instead, it updates the contract's internal balances array to reflect the total balance of each token held by the contract. This implementation could lead to incorrect accounting within the pool, potentially affecting operations that rely on these balance values.Attack Scenario\
also in addition
The function incorrectly assumes that updating the balances array to the total contract balance is equivalent to "donating" admin fees. In reality, this action merges distinct accounting categories (user liquidity and admin fees) that should remain separate.
Attachments
Proof of Concept (PoC) File
Revised Code File (Optional)
the fix helps with the following: