Github username: @KupiaSecAdmin
Submission hash (on-chain): 0xe39fc94c15055957c3e3dc97a8fac51f743434e0994e6589016f641d78fc46d1
Severity: medium
Description:Description\
In LiquidityPool.withdraw(), it burns the caller's eETH balance and transfers eth to recipient. But during the validation at L178, it checks if eETH.balanceOf(msg.sender) < _amount which is wrong. eETH.balanceOf(msg.sender) should be compared with share(eETH amount), not _amount(eth amount).
Github username: @KupiaSecAdmin Submission hash (on-chain): 0xe39fc94c15055957c3e3dc97a8fac51f743434e0994e6589016f641d78fc46d1 Severity: medium
Description: Description\ In
LiquidityPool.withdraw()
, it burns the caller's eETH balance and transfers eth torecipient
. But during the validation at L178, it checks ifeETH.balanceOf(msg.sender) < _amount
which is wrong.eETH.balanceOf(msg.sender)
should be compared withshare(eETH amount)
, not_amount(eth amount)
.As a result,
withdraw()
would revert unexpectedly when it should work.Attack Scenario\
withdraw(Alice, 11 eth)
is called.share = 10 eEth
but it will revert at L178 becauseeETH.balanceOf(msg.sender) < _amount = 11 eth
.Recommendation L178 should be modified like below.