Creating a pool for USDC requires a very large amount of seed capital to be burned
Summary
When adding a pool to an existing market the contract requires an underlying seed payment to prevent share ratio manipulation. It requires and initial seed of 1e12. For 18 decimals tokens this is a fraction of a token but for USDC which is 6 decimals, this amounts to 100,000 USDC tokens. If pool creator is set for max approval they may not even notice and burn $100,000 in USDC.
Vulnerability Detail
function _addPoolToExistingMarket(
SinglePoolInitInfo memory initPool,
uint256 initialActualLiquidityForNewPool,
address seederAndAdmin,
uint32 _marketIndex
) internal {
require(seederAndAdmin != address(0), "Invalid seederAndAdmin can't be zero");
// You require at least 1e12 (1 payment token with 12 decimal places) of the underlying payment token to seed the market.
require(initialActualLiquidityForNewPool >= 1e12, "Insufficient market seed");
require(
_numberOfPoolsOfType[uint256(initPool.poolType)] < 8 &&
initPool.token != address(0) &&
initPool.poolType < PoolType.LAST &&
(initPool.leverage >= 1e18 && initPool.leverage <= 10e18),
"Invalid pool params"
);
MarketExtended#_addPoolToExistingMarket requires that the caller initially seeds the market with 1e12 tokens. For 18 decimal tokens this is a fraction of a token. However USDC is a 6 decimal tokens so 1e12 amounts to 100,000 USDC. The high capital requirement would make starting a pool difficult. To make matters worse this initial liquidity is minted to a dead address meaning 100,000 wouldn't even be recoverable by the caller.
Impact
USDC pools require a huge initial fee to start and will cause a large loss of funds
0x52
high
Creating a pool for USDC requires a very large amount of seed capital to be burned
Summary
When adding a pool to an existing market the contract requires an underlying seed payment to prevent share ratio manipulation. It requires and initial seed of 1e12. For 18 decimals tokens this is a fraction of a token but for USDC which is 6 decimals, this amounts to 100,000 USDC tokens. If pool creator is set for max approval they may not even notice and burn $100,000 in USDC.
Vulnerability Detail
MarketExtended#_addPoolToExistingMarket requires that the caller initially seeds the market with 1e12 tokens. For 18 decimal tokens this is a fraction of a token. However USDC is a 6 decimal tokens so 1e12 amounts to 100,000 USDC. The high capital requirement would make starting a pool difficult. To make matters worse this initial liquidity is minted to a dead address meaning 100,000 wouldn't even be recoverable by the caller.
Impact
USDC pools require a huge initial fee to start and will cause a large loss of funds
Code Snippet
MarketExtended.sol#L117-L159
Tool used
Manual Review
Recommendation
Change initial requirement to 1e6:
Duplicate of #21